On June 28, 2018, California’s governor, Jerry Brown, signed Assembly Bill 375, also known as the California Consumer Privacy Act (CCPA).
The law, which will take effect on Jan. 1, 2020, is similar to the European Union’s General Data Protection Regulation (GDPR), which has required companies such as Alphabet Inc., Facebook Inc., Netflix Inc., Amazon.com Inc., Twitter Inc. to comply or face multimillion dollar fines for non-compliance. Despite businesses’ growing awareness of the consequences of non-compliance with regulations such as CCPA and GDPR, only 14% of respondents to a recent survey by TrustArc were CCPA-compliant.
Estimates suggest the law will affect more than 500,000 businesses in America alone and many more around the world that sell to consumers who live in California. Retailers need to pay heed to the law given that non-compliance could lead to hefty fines.
What businesses does the CCPA apply to?
The CCPA is applicable to any business that meets any of the following criteria:
- A for-profit business that sells to any of California 39.5 million residents and generates over $25 million in annual revenue.
- A company that receives or shares personal information of more than 50,000 California residents annually.
- A company that derives at least 50% of its annual revenue by selling the personal information of California’s residents.
While small business owners can breathe a sigh of relief, larger enterprises need to prepare or potentially face significant fines.
What is the purpose of the CCPA?
The CCPA is focused on consumers’ data protection rights. The law will give a California resident who buys goods or services from any business around the world that matches the CCPA’s criteria the right to opt out of any of his personal information from being stored by that company. Businesses must also be transparent with the kinds of data they collect from customers, which includes, but is not limited to:
- Telephone number
- Social security numbers
- Driver’s licenses/Passport details
- Educational information
- PIN numbers
- Browsing data
- Biometric data
- Purchase histories
- Device type
CCPA’s key implications
- If any Californian contacts a relevant business and asks what personal data it has stored, the business will have up to 45 days to respond with a complete record or else they would be considered in breach of compliance and can thus be penalized.
- A consumer will be able to opt out of businesses storing or sharing their personal data with third parties.
- If a business purchased third-party data the California consumer will have a right to know what data the business purchased contains about them, who they shared it with and who they purchased it from.
- Any Californian will be able to ask that any personal information a business is storing about them be deleted.
- For Californian customers under age 16, businesses must provide an opt-in; for those under 13, they need a parent or guardian consent.
- Businesses cannot penalize any California consumer who exercises their rights under the CCPA.
Under the CCPA, businesses are required to provide an easy-to-access and easy-to-see “Do Not Sell My Personal Information” option so consumers can opt out from having their personal information shared with other third parties.
California’s attorney general, Xavier Becerra, will enforce CCPA. He will be able to sue or join class-action suits against any business that breaches consumers’ rights.
What are the implications of not complying with the CCPA?
If a company breaches any of the above listed requirements, they will be considered non-compliant.
Businesses can expect fines of $2,500 per unintentional violation and $7,500 per intentional violation. Fines are levied on a “per person/account” basis. That means that if one Californian finds out a business is not compliant, he can report it. It would be reasonable to assume that if a business isn’t compliant for one California consumer, it likely is not compliant for all of them.
If a business owner wants to know how much it is potentially liable for not complying to the CCPA, it can multiply the number of California-based customers it has by $7,500. That can quickly add up; even if it only has 50 Californian customers, it could face a $375,000 fine. If it has 1,000 or 10,000 customers in California this could easily put a lot of companies out of business.
California consumers can sue over data breaches
The legislation also establishes the consumers’ right to take private action against erring covered businesses. This means that any California resident whose personal information was accessed illegally, stolen, or disclosed as a result of substandard security measures can file a civil suit. So in addition to paying fines CCPA requires businesses to pay out to their customers if data breaches occur if the stolen data was not encrypted or redacted.
Statutory damages for such civil cases have a minimum of $100 and a ceiling of $750 per consumer per incident plus any other declaratory, injunctive, and other relief the court deems proper.
Businesses must encrypt/redact all of their customers’ personal information to avoid this payout.
Steps to CCPA Readiness
So what steps can a business to ensure they meet the CCPA requirements? The first step I recommend is to thoroughly audit your data collection, storage and management processes. Do a deep dive to determine all touch points where you collect, store and use your customer data. Consider the following questions:
- Who has access to it?
- What data points are you collecting?
- What type of data are you storing?
- In what format?
- Is it encrypted?
- Which database contains purchasing history?
- Where is the data stored and used geographically?
- Is the data structured or unstructured?
- Can it be segregated by area e.g. California, European Union, Rest of World.
- Are you getting any customer data from 3rd parties? The CCPA affects not only the data a business collects but any 3rd party data a company potentially purchases. So before you purchase any 3rd party data from vendors, ask them for certification to prove their CCPA compliance!
Plan for customer data requests
Do you have an action plan in place for how to respond when someone from California requests their data?
- Who will be the person tasked with handling these requests?
- Will he know how to effectively respond?
- What tools will he use to extract data?
- How will he manage the requests made to delete data?
Remember, if you don’t respond within 45 day they can take action against you.
Future proofing for data regulations
The GDPR and the CCPA are just the start of a long list of data regulations coming into effect. This increased regulatory compliance could potentially begin to suffocate companies. Having an internal Data Protection Officer (DPO) whose job it is to ensure their business is compliant with all the various data protection laws around the world that come into play will probably become common place in the future. But having technical solutions in place that automatically ensure your data is compliant for GDPR, the CCPA or any future new laws that come into play is one of the easiest ways to stay compliant.
While bringing in an appropriate technical solution may mean an additional cost, the cost of staying compliant will probably cost a lot less than non-compliance. Accordingly, 72% of American companies expect to invest in technology to specifically comply with the CCPA. The right technology platform gets rid of a lot of the stress involved with managing the potentially dozens of different data regulations that different states and countries around the world now have in the works.
Instead of investing in legal fees, I recommend seeking out CIAM technology as a cost-effective way to comply with the CCPA. With CIAM technology, businesses can customize registration and login pages to include necessary disclosure statements and request customer consent. It can streamline customer data from multiple web and mobile platforms into one single profile so businesses can easily provide customer’s personal information upon request. CIAM solutions can also encrypt customer data and provide world-class data protection. CCPA is a legal problem that can be solved with technology.
About the author
Rakesh Soni is the CEO of LoginRadius, a provider of cloud-based digital identity toolsFavorite