The CCPA is a Harbinger for U.S. Data Privacy Regulations
Although the California Consumer Privacy Act (CCPA) was signed in June of last year, its enforcement date is swiftly approaching. The California Attorney General announced that they would begin enforcing the law on July 1, 2020. The law granted new data rights regarding the use and collection of personally identifiable information (PII) to any individual that resides in the state. What this means for businesses that operate within California (and to an extent, a majority of U.S.-based businesses) is no small matter. Under the law, companies aren’t required to be based in the state or even have a presence in the U.S.; if you serve California residents, then the rules most likely apply to you, and the law applies to California residents, even if they may be in another state at the time they visit a website, so CCPA has effectively become a national law for the United States of America.
California boasts the largest gross state product — $3.018 trillion in 2018 — and could be considered the fifth largest economy in the world if taken as a stand-alone figure. Propelled by tech sector behemoths like Apple, Oracle, Synnex, Intel, Salesforce, Facebook and so on, the CCPA’s ramifications for employees, customers and operations signals big changes on the horizon regarding privacy and data practices.
New Laws of the Land
In the spring of 2018, the European Union (EU) introduced the General Data Protection Regulation (GDPR), the strictest privacy legislation to date in the digital age. The GDPR gives EU citizens control of their personal data through codified and unified data laws, forging an environment of trust via regulation for businesses and citizens alike. With obligations around personal data, privacy, consent, access, and breach notification, many components of the GDPR lay the groundwork for the legislative measures of CCPA.
In its initial presentation, the CCPA states that it intends to “give Californians the ‘who, what, where, and when” of how businesses handle consumers’ personal information.” Three major objectives of the bill include:
- Right to Know
Businesses use PII daily for targeting information. Under the CCPA, consumers will have the right to know exactly what personal information is being collected about them.
- Right to Say No
With extensive records on consumers, including names, educational information, web browsing habits, geolocation data, biometrics, employment history, financial records and other data, businesses often collect this information and sell or share it with other businesses. Under the CCPA, consumers can opt out of having their personal information shared or sold in many circumstances.
- Right to Protections
If a business fails to take preventive security precautions with consumer data, under the CCPA, consumers have the right to take legal actions against businesses that disrespect data privacy practices.
While there are qualifying criteria for companies that must comply with the CCPA (annual gross revenue of $25 million and up, 50,000+ personal information/accounts or 50% or more annual revenue generated by California residents’ PII), the CCPA heralds changes coming down the pipeline for all.
Front Runner, For Now
The CCPA has been grabbing headlines as its enforceable day draws near but more than a dozen other states are quietly working toward their own data protection regulations. Though California’s measures are regarded as the most comprehensive, the tides are shifting. Nevada’s Senate Bill 220, Maine’s Act to Protect the Privacy of Online Consumer Information, and Pennsylvania’s House Bill 1049 are examples of three states fast-tracking protections for consumer data. Oregon, New York, New Jersey, Massachusetts, Maryland, Texas, and Washington are similarly undergoing processes to update information protections pertaining to data privacy, security, cybersecurity and breach notification laws.
The point being, there is significant momentum around changing privacy and data management practices. The CCPA is the front-runner for now and while each state’s actions are different, how long will it be before the U.S. implements sweeping regulations? Now is not the time for your business to sit back and wait. Inaction at this precarious juncture runs a costly risk.
Why You Need to Be Compliant
Money is a simple answer to why you need to be compliant. Fines for infractions under CCPA will range from $2,500 to a cap of $7,500 per violation. While this amount has the capacity to accumulate quickly, the bigger fear revolves around the legislative language surrounding the rights of consumers to bring lawsuits against a business for a breach or exposure of private data.
To avoid either scenario, shoring up vulnerabilities in your organization is imperative. Personal data must be accounted for; access requests require a response strategy for search, access, and security. The window for figuring out how to adhere to compliance is narrowing as the deadline approaches.
Time is of the essence to secure the reputation of your organization and the future of your business.