The data Death Star is coming – are you ready?
The California Consumer Privacy Act (CCPA) is taking effect January 1st 2020. It promises to revolutionize the way businesses collect, store, and sell consumer data in California and beyond.
1. What is CCPA?
The California Consumer Privacy Act is an extra layer of protection afforded to consumers in California. It allows people to view, delete, and stop the sale of all personal data collected by for-profit companies that meet various conditions (see #2 for conditions).
The law further protects consumers from any discrimination based on their choice to opt-in or out of data collection and provides them with an avenue for legal recourse should their data be mistreated, hacked, or sold without their permission.
2. How to know if you’re impacted
CCPA applies to for-profit companies collecting information on or selling to Californians, including displaying internet ads to California residents.
This new legislation will impact any for-profit company selling, advertising or working with California residents that meets at least one of the following criteria:
- The company has an annual gross revenue exceeding $25 million
- The company receives, buys, sells, collects, or shares personal data from 50,000 or more sources including consumers, households, or devices. Think about your own home – how many smart devices do you own? The device count can easily exceed 20 in a single household (Alexa, Google Home, laptops, desktops, smart phones, tablets, e-readers, etc.). CCPA also adopts a liberal definition of ‘consumer.’ Frighteningly, a consumer includes any “natural person who is a California resident.” That includes personal information on all employees and potential customers.
- The company derives 50% or more of its annual revenues from selling consumers’ personal information. Personal information includes, but is not limited to, name, alias, postal address, email address, account name, social security number, driver’s license number, passport number, IP address, etc.
3. What does your company need to do?
- Clearly communicate on your website what type of personal data is being collected
- Tell people whether their personal information is being sold or disclosed and to whom
- Delete all personal information of an individual upon request
- Make available all personal information collected on a person upon request
- Provide the same quality and price of service to all consumers, regardless of whether they choose to exercise their privacy rights
- Notify consumers if information is sold to third parties
4. What are the financial repercussions for violations?
The penalties for violating CCPA vary depending on the intentions of the offending company and the speed with which the company remedies the issue.
- An unintentional violation will cost your company $2500 for each individual violation – meaning violations on behalf of every single person, device, or household.
- An intentional or knowing violation will cost your company $7500/violation.
- BUT companies will have 30 days to correct the issue after receiving official notice.
This last provision – the 30-day grace period – ensures that companies have an ‘out’ and will not face immediate legal or financial repercussions. Though companies should still do everything in their power to follow CCPA, lawyers claim that this final provision will make legal action unlikely.
5. General exceptions to CCPA
Publicly sourced personal data: Personal data obtained through public sources (i.e., the census) is exempt. But try to use 10-year old census data to determine your business strategy and you will be sorely disappointed. In addition, aggregated information – where no single person can be identified – is permitted under CCPA.
Incentivizing consumers: While companies cannot discriminate based on a user’s choice to protect their personal information, a company can “offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information” (AB-375).
Differential pricing/quality: “A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data” (AB-375).
6. Pre-CCPA Checklist
Make these changes before January 1st 2020 to protect your company:
- A clear and conspicuous ‘do not sell my personal information’ button should be added to the company website, enabling the consumer to opt out of the sale of their personal data.
- Your website should include a simple way to submit data requests and, at a minimum, a toll-free telephone number to contact regarding such requests.
- An internal mechanism should be created allowing your company to collect and deliver requested information within 45 days of receiving the consumer’s request.
Whenever a sweeping new law takes effect, there’s sure to be some initial confusion. Don’t leave your company vulnerable – follow the suggestions outlined above, download this sheet as a PDF and share it with your executive team, and get in touch if you need qualified consultants to help shore up vulnerabilities in your organization.
Please note that the information provided, while authoritative, is not guaranteed for accuracy and legality. This information is for guidance, ideas, and assistance.