In November 2020, California voters said "yes" to a proposition that would revise its historic California Consumer Privacy Act (CCPA) of 2018. The California Privacy Rights Act (CPRA) notably established a data protection agency in the state, to be staffed, in part, by individuals with extensive experience in the data privacy field. It took enforcement of the state's privacy law out of the hands of California's attorney general. The CPRA, effective Jan 1., 2023, also established additional data privacy rights for individuals. For example, it created a new data classification, "sensitive data," and outlines specific requirements for such data. Like Europe's sweeping privacy law, the Data Protection Regulation, it provides rights for individuals to request data deletion or to correct data stored about them.
It also made some business-friendly concessions, such as revising the definition of a "business" covered by the law to be those with 100,000 customers or more, instead of the previous threshold of 50,000.
But before it, and paving the way for the CPRA to have a rather frictionless entry into California's legal books, was the California Consumer Protection Act.
The CCPA passed via a ballot initiative and became effective on January 1, 2020. From its passage to its implementation, companies had just a few months to not only understand it but make sure their company and its employees were all doing what they're supposed to do to protect consumer's personal information and stay compliant with the regulation. While the CCPA is a California mandate, it doesn't just apply to California residents. Almost every company that does business with a California company, has California resident customers, or collects any personal data of a California resident for any purpose (customer or non-customer) must comply.
It's important to understand that every department within your company is responsible and has the potential to put the company at risk. Like the GDPR, the risk for non-compliance can be hefty fines and a loss of customer loyalty.
Understanding the California Consumer Privacy ActThe CCPA is a bill the California state legislature passed in 2018, but it didn't go into effect until January 2020. Just like the European Union's General Data Protection Regulation (GDPR), the CCPA forces the hand of many (but not all) organizations to protect consumers' data privacy rights. While the GDPR protects people in the EU, the CCPA is specific to California residents. According to the Standardized Regulatory Impact Assessment conducted by Berkeley Economic Advising and Research, LLC, the CCPA regulations will protect more than $12 billion worth of personal information that is used for advertising each year in California.
If you don't have a legal background, the CCPA verbiage may seem complicated and somewhat confusing. That's why we want to break it down for you. It has serious implications. No matter your background or current role, you can't play the ignorance card. It's up to every one of us to get this right.
Why do we have the California Consumer Privacy Act?The California Consumer Privacy Act aims to safeguard consumer privacy for Californians the same way the GDPR protects Europeans. The CCPA may seem like a pain for companies, but was a huge leap forward for consumers who value their data privacy. After all, we are all consumers and should care about the privacy of our personal information.
With so much of how we interact with businesses and organizations now digital, we share and leave behind incredible amounts of personal data, often data we don't even realize we have. This is your data. You own it. But up until now, the entities that use your data weren't held responsible for what they did with it. The CCPA aimed to change that, giving California residents new rights in how their personal information is collected and used.
Keep in mind that it's not just personal data like names and addresses. We're talking about...
- Credit card numbers
- Real names
- Postal addresses
- Social security numbers
- Income or similar information
- Browsing history and search history
- Commercial information
- Political affiliations
- Education information
- Religions affiliations
- Unique personal identifier / account name / online identifier
- Driver's license number
- Geolocation data
- Biometric information
- IP address or other device similar identifiers
- Passport number
- Other identifiable information
Because of this fact, organizations' feet are held to the fire. Businesses have to prove they are taking appropriate measures to either protect the data consumers agree to share with them or avoid collecting or sharing the personal data of consumers who decline permission. The required measures of the CCPA are lengthy and specific. If they weren't, there would be too much up for interpretation.
What are the regulations on personal information?According to California's Office of the Attorney General, to remain CCPA-compliant, businesses must:
- Provide notice to consumers at or before they collect personal data.
- Allow consumers to opt-out, read, and delete their personal data from the business's storage. Companies must provide a "Do Not Sell My Personal Information" link for opt-out requests.
- Respond to consumer requests within specific time frames.
- Show consumers privacy settings that signal their choice to opt-out.
- Verify the identity of consumers who ask to read and delete their information, even if they have a password-protected account with the business.
- Disclose financial incentives for retaining or selling the consumer's personal data and how they the value that data.
- Maintain records of all access requests for 24 months, as well as how the business responded.
What consumer rights does CCPA create on personal information?The CCPA creates specific consumer rights regarding personal data and data privacy. These rights are similar to the rights established by the GDPR, though they only apply to California residents. Residents have the following new rights:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- The right to delete personal information held by businesses and their vendors.
- The right to opt-out of the sale of their personal information and direct a company to stop selling their information. Children under the age of 16 must provide opt-in consent. Children under the age of 13 require the consent of a parent or guardian.
- The right to non-discrimination when a consumer exercises privacy rights under the CCPA.
Who has to comply?The CCPA doesn't just apply to massive businesses like Google or Amazon. While every company should value its customers and visitors' data privacy, not every business is required to comply with the CCPA regulations. The California attorney general included rules that exempt some businesses. CCPA only applies to a business if one or more of the following are true:
- Has a gross annual revenue of $25 million
- Buys, receives, or sells the consumer's personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of their revenue from selling consumers' personal information.
- In addition to the above, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
What happens if we fail to comply?Fines for non-compliance depend on the offense and other factors. Civil penalties start at $2,500 per violation for non-compliance deemed unintentional. For intentional non-compliance, those fines jump to as much as $7,500 per violation. Then, there's the time frame in which the business responds. The CCPA states that if a company can "cure" the non-compliance within 30 days of being notified of the offense, they get off with a warning. If they can't remedy the situation that fast, they are back on the hook and subject to fines.
Data breaches open up a whole new can of worms, enabling affected consumers the right to take specific action against the offending company. Consumers can bring an action for statutory damages in the event of a data breach caused by the organization's failure to implement reasonable security procedures for consumers' personal information.
How Will the California Attorney General Enforce This New Privacy Law?The California Attorney General Xavier Becerra still hasn't made plans for enforcement clear, even with all the publicity around CCPA. The one thing we do know is that the state is, so far, limited in its enforcement capabilities. The California Attorney General's office doesn't have enough resources to make sure companies are complying with the California law and managing non-compliance cases. For this reason, it's expected that some companies may simply take their chances of avoiding the attorney general's eye.
California residents aren't waiting for companies to figure out how to comply with CCPA regulations, either. There are already consumer class action lawsuits working their way through the court system (the civil side of the law to award statutory damages). Their outcomes are still pending, but the potential litigation is proving a point: companies aren't going to get away with non-compliance, at least not without a massive cost.
Aside from financial penalties (that amount to a portion of an organization's annual revenue), companies will care about earning the trust of consumers who will demand that they put their data privacy first. Consumers are becoming savvier, learning of their rights, and requiring companies to adhere to CCPA compliance or suffer the consequences. Protecting consumer rights to data privacy is the right thing to do, and now that California's new privacy law is in place, companies doing business with a California business or its residents will be forced to comply whether they want to or not.
Do Any Other States Besides California Have a Privacy Law to Protect Personal Information?Good question. Many believe consumers' right to data privacy should be federal law, not solely a state's decision. A federal privacy law would establish a consistent standard for all companies (similar to how the GDPR works). When it comes to sharing personal data, there are no borders. At the moment, however, only New York and California have data privacy state laws.
Most of the companies impacted by the CCPA have more than California residents as customers and have already taken steps to protect consumer data worldwide because of the CCPA. If the foundation of consumer rights is already there, it is just as easy to include customers from all over the United States and beyond.
The point of the regulation is to protect consumer data and personal information, and be transparent in how data is collected, stored, used, and shared. While no other states have come as far as California's new privacy law, it will likely serve as the model for how all states issue their regulations if the federal government doesn't step in with a federal privacy law. Rumor has it that New York and Illinois state will jump on board sometime in 2020 with their own consumer privacy laws.
Who in my Company is Responsible for Ensuring CCPA Compliance and the Safety of Personal Information?CCPA compliance is an all-hands-on-deck sort of thing. CEOs and CIOs often lead the charge, but because so many other departments collect and use consumer data, they all must understand the new data privacy law and take responsibility for what they do with personal information.
Case in point: marketing. Marketers consistently rely on consumer data to influence their campaigns. Consumer data is precisely what makes companies able to effectively target their marketing efforts to the right people at the right time to increase sales. Every time a consumer is tracked with a website cookie, fills out a form, or makes a purchase online, they are giving the company their personal information whether they realize it or not. And, according to the CCPA, that information is now protected by data privacy law.
The same goes for your sales department. All of that customer data that's stored in systems such as Salesforce must be protected. If it's shared with other departments, those departments now have some ownership. You can see how quickly and easily consumer data spread across the organization.
For this reason, companies should establish a systematic way to adhere to CCPA requirements. That means cleansing and reviewing all databases to ensure the organization can identify consent. It means putting consent pop-ups and policies front and center on your website. It means notifying consumers of how their personal data is collected, stored, used, and shared. Being proactive is the best way to minimize the risk of non-compliance.
CCPA requirements go beyond your own four walls, as well. Suppose your company shares its customer data to other companies. In that case, your company must also prove it has taken appropriate measures to continue to protect the data once it's in their hands. The web of data sharing and the responsibility of ownership of that data are extensive, complex, and dynamic.
Are There Cookie Consent Requirements in This New Privacy Law?We live in a world of cookies. Unfortunately, it's not of the sweet kind. We're talking about the technical cookies every website, and mobile application now uses to harvest personal information and learn about visitor habits. These cookies aren't all bad. They create an easier user experience (like remembering what you put in your online shopping cart) and track consumers for marketing purposes. It's the latter reason that makes cookies a sticking point when it comes to the California Consumer Privacy Act.
Cookie consent requirements mean companies have to use clear language in a conspicuous location to inform visitors of their cookie policies - before their information is collected. Visitors must be given the capability to accept or decline the terms.
What About Necessary Cookies?That said, the CCPA has an exception for necessary cookies (called "essential cookies" in this data privacy law). These are cookies that perform essential functions for the website's operation, like accessing a password-protected portion of the site or remembering products for a shopping cart. If these necessary cookies are placed by a business directly, the CCPA does not require that a business provide consumers a way to turn them off.
And just like cookie consent, consumers must be notified that their personal information is being collected and why. They then need to be given the ability to accept or decline - and that includes third party cookies that may be embedded on your site. You have to keep track of your users' preferences, even if you aren't entirely sure what is being collected or who is doing the collecting.
Is There an Easy Way to Comply With California's New Privacy Law?
So glad you asked. Yes, there is. California's new privacy law simply provides the guidelines and penalties for non-compliance. The measures a company takes to adhere to the law is up to them. You can choose to do it manually, coding pop-up consent boxes, tracking consumer preferences, and managing vendors' use of the data you share, or you can automate it.
There are also free and paid, open-source resources to make cookie notices and categories of personal information a breeze. Again, it uses automation to effortlessly manage consents, even changing the language to that of the visitor and then tracking consents for auditable record keeping.
When it comes to your vendors, do you know what they're doing with your customers' and users' personal information you've shared with them? If you don't want to violate California's new privacy law, you need to know. Depending on the number of vendors you have, this task can be virtually impossible because most vendors aren't disclosing how they use or share that information either. With CCPA, you can't just share or sell your consumer data to vendors and third parties and be done. It is your responsibility to keep consumers' personal information secure and comply with their wishes about how their data is used.
Since you have continued ownership of your consumer data, it's important to partner with vendors who share in your commitment to protect consumer data privacy rights and comply with the California Consumer Privacy Act. You can know this if you automate how you monitor privacy practices among your current and prospective vendors. Osano's automated solution can combine legal experts and AI technology to sift through all legal jargon to boil down exactly how each vendor treats consumer data and gives each vendor a risk score. You can even see how their vendors and their vendors' vendors treat that data - all in one place with a click. It's a quick and easy way to evaluate vendors and ensure they're doing as much as they can to protect the personal information you've shared with them. This will prove valuable in the event you are audited.