The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. It’s a law that protects the privacy rights of consumers within the state. Similar to Europe’s General Data Protection Regulation (GDPR), the CCPA will affect many businesses that collect personal information from the residents of California.
Which businesses have to comply with California’s data privacy law?
All for-profit entities serving citizens in California will be responsible for complying to the CCPA if they meet any of these conditions:
- Have an annual gross revenue that totals $25 million or higher
- Buy, receive, sell, or share consumer data from 50,000 or more consumers, households, or devices
- Make the majority of their annual revenue from selling personal data
Companies don’t have to be based in the state of California or have a physical presence there to fall under the law. They don’t even have to be based in the U.S.
Any business in the world would only need 137 unique website visitors from California per day to reach the threshold of 50,000 Californian consumers that would make them subject to the rules laid out in the CCPA.
What data does the CCPA cover?
The California law takes an even broader approach to what constitutes sensitive data than the European GDPR.
The legislation contains dozens and possibly hundreds of specific data items, including:
- Biometric data
- Demographic information:
- Phone number
- Mailing address
- Email address
- Household purchase data
- Family information (e.g., number of children)
- Education and employment histories
- Financial information
- Sleep habits
- and more…
The CCPA will allow consumers to demand from companies to tell them what personal information they have collected, as well as, to force them to delete that data or to forbid them from sharing it with third parties. Meanwhile, companies will have to do more to tell consumers upfront about what data they collect.
For example, the law specifies that companies must have a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue. They can also sue if they can’t find out how their information has been collected or get copies of that information.
How will CCPA affect E-commerce?
It’s a state law that applies to companies that do business in California, however, it also covers out-of-state merchants who sell to Californians or even display a website in the state.
Since nearly 40 million people live in the state of California and its residents make up 12 percent of the population of the entire US, most E-commerce businesses will comply will the CCPA, rather than step away from the world’s fifth largest economy. It’s worth noting that California’s economy is worth $2.7 trillion, which places it right after Germany and before the United Kingdom.
What is more, nearly every enterprise marketing team nowadays uses consumer data to create personalized digital experiences, develop smarter analytics, inform segmentation, produce effective email marketing campaigns, and many other things that ultimately fuel the growth and success of their organizations. So it’s pretty safe to say that the CCPA is going to have a huge impact on marketing teams and businesses as a whole if they aren’t compliant by the time 2020 rolls around.
What happens if a company doesn’t comply with the CCPA?
After that date, Americans will be able to demand that companies disclose what personal data they have collected about them, and also ask companies to delete that data. Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record.
There’s also another potential financial risk. The bill provides for an individual’s right to sue and it allows class action lawsuits for damages.
Guidelines to comply with California’s consumer privacy law:
- What kind of information you receive and process
- Why do you collect and process information
- How do you collect and process information
- How users can request access, change, move, or delete their data
- The method for verifying the identity of the person who submits a request
- Sale of users’ data and how they can opt-out of the selling of their data
- Introduce a method for verification of the identity of the person making such requests
- Introduce a “Do Not Sell My Personal Information” link on your home page. If your users click the link, it means you can’t sell the users’ data to a third-party. According to Computer Services, Inc., this must be a “clear and conspicuous statement that is linked to a page that allows consumers to opt-out of having their personal information sold.”
- Obtain prior consent from minors 13-16 years old before selling their data. For children younger than 13 you must obtain prior permission from their parents
- Make sure your customer data is secure: Although CCPA doesn’t specifically change existing laws regarding data security, it does include a “private cause of action” provision which could increase statutory penalties for security incidents and data breaches that negatively impact your customers.
CCPA and GDPR
The California Consumer Privacy Act has been described by some as “almost GDPR in the US.” Although it takes an even broader approach to what constitutes sensitive data than its European counterpart, if a company took the steps needed to comply with the GDPR, then it’s most of the way there for the California Consumer Privacy Act.
Key differences between the GDPR and CCPA:
- The CCPA applies only to businesses, while the GDPR covers any entity that processes the personal data of protected consumers/residents.
- The GDPR allows covered entities to establish equivalent mechanisms, while the CCPA prescribes disclosures, communication channels, and other measures.
- The CCPA uses a broader definition of personal information.
- Access and deletion requests are both granted but have different conditions.
- The CCPA sets more rigid restrictions for commercial sharing of personal data.
- The CCPA does not expressly include the right to correct errors in processed personal data.
- The CCPA does not expressly include the right to stop automated decision making (i.e., the right to require a human to make decisions that have legal implications/effect).
- The GDPR set the penalty limit at 4% of global annual revenues, while the CCPA does not have a ceiling on regulator penalties.
- The CCPA has a minimum and maximum damage amounts ($100 to $750 per consumer per incident) for private actions against violators, while the GDPR prescribes neither a floor nor a ceiling for damages.