What is the CCPA? A Guide to California Privacy Law
Introduction: What is the CCPA?
The California Consumer Privacy Act will come into effect on January 1, 2020. This fact may have a significant impact on your business.
California is the crown jewel in the United States economy. If it were a standalone country, its $2.7 trillion GDP would be the fifth-largest in the world, sitting ahead of the United Kingdom. Combined with the state’s status as an incubator for tech innovation and consumer culture, California gives outsized importance for all kinds of businesses operating at local, national, and multinational levels.
The CCPA forces enterprises reaching a particular scale to contend. Other states will soon follow suit with similar legislative pieces of their own. California has long been a bellwether for US-wide tech legislation.
This examines the CCPA piece-by-piece, analyzing business impact, with particular attention given to the consequences for Small-to-Medium Enterprise (SME) ‘s data management, systems, and practices.
The conclusion should clarify the CCPA is nothing to fear for management and development teams. Teams that are proactive and thoughtful in adapting to CCPA prescriptions will get ahead in successfully achieving compliance. For those that don’t use the appropriate amount of care, the consequences can be severe.
Getting Started: What is the Scope of CCPA?
Reading through the CCPA is quite a different exercise to reading through the GDPR. For context, the GDPR is another major piece of consumer data protection legislation to emerge in recent times. The language of the GDPR is clear and its structure is logical. Contrastly, the grammar of the CCPA is a dense “legalese”. The structure of the Act skips from one area to another without a consistent thread.
The CCPA is a series of builds or amendments to previously existing pieces of legislation. Compared to the GDPR, which was an attempt to craft a comprehensive data protection policy from scratch. The upshot is that it’s most sensible to analyze the CCPA under topic groupings rather than from top to bottom. The first topic is essential to consider is scope: Whom does the CCPA apply? There’s a host of ways business are subject to CCPA requirements.
How to Determine If your Business Qualifies
Regardless of the amount of data you collect, do you have gross revenue over $25 million? Then the CCPA applies to you. However, if you’re not operating at that scale and still collect, buy, or sell the personal information of over 50,000 people, households, or devices per year, then the CCPA also applies to you. If a business doesn’t process that amount of personal information, but still earns more than half of yearly revenue (no matter what number) from selling consumers’ data, then the CCPA is applicable. Of course, your company must also have a business presence in the state of California, because that’s as far as the legislation’s power extends.
“Personal Data” is the second scope-related question in the CCPA. Whereas other pieces of data legislation take an umbrella-view of defining what constitutes personal data, the CCPA attempts to spell out in more explicit detail the types of information that count. The list here is extensive and worth comprehensive review, but a pivotal point to realize is that the CCPA covers information that links to households as well as individuals.
In effect, this means that certain information which would not be protected under other pieces of legislation because they can’t be associated with an individual. For example, TV viewing records or non-individual linked purchase behavior data are considered personal data under the CCPA because they are linked to a household.
Digging Deeper: What are the Intentions of the CCPA?
Once you address the question of scope, it’s possible to begin examining the intentions of the California Consumer Privacy Act and, at macro-level, the measures it takes to achieve those intentions.
Section 2 of the Act explicitly outlines the aim of this piece of legislation – empowering citizens of California to:
- Know what personal data is organizations are collecting about them
- Know if/when personal information is sold or disclosed and to whom
- Say “no” to the sale of their data
- Access the personal data that an organization has collected about them
- Obtain equal service and price from companies collecting personal data.
Right away a development team or project manager tasked with architecting their SME’s data infrastructure should see that these aims if adequately supported by the legislation, carry far-reaching consequences for how businesses build their data management systems.
The old notion of siloing company data is dead. Data is no longer an organic mass. It is information continuously added and subtracted through interaction with company employees and product consumers. Businesses will face real challenges with being and staying CCPA-compliant. They need flexibility and agility built into the architecture, including collection and storage to retrieval and analysis.
Business Obligations: CCPA’s Impact on the Data Landscape
Given the objectives stated, what are the concrete steps businesses must take to avoid running afoul of the CCPA? Here’s a list a summary of the most important:
Companies must be able to disclose to a requesting consumer the categories and specific pieces of personal information that the business has collected.
Businesses must have both a clearly-signposted Method for consumers to lodge a request for information and a streamlined system for disaggregating an individual’s data from their database. They need to deliver it in a timely fashion too. It’s worth noting that a business is obligated to provide this information up to two times in twelve months. Though it may seem self-evident, this means a system is needed to track Information Requests so that one individual doesn’t overly burden the system.
Consider that even some businesses operating at scale don’t possess a system for request intake nor keep a single-location record of information requests. In this scenario, it’s entirely feasible that a single individual could take up far more valuable staff time than legally necessary through repeated information requests.
These are easy solves when considered upfront but can be challenging if retrofitted only when the problem becomes evident. An additional requirement of this capability is that the delivery of this data must be free and in reasonably consumable form, which means that businesses can’t charge a consumer to receive a record of their data record, and they also can’t present that data in some arcane file format that the consumer will have difficulty decoding.
All in all, this requirement could lead to significant business impact for companies that are not already up to speed on current best practices for data management.
At or before the point of data collection, businesses are required to inform consumers of the categories of personal information they intend to collect and the purpose for using specific types of personal information.
For any SME operating on “highest common denominator” principles, this will be no surprise. After all, this is already a requirement under GDPR law. It’s reasonable to expect that as the world follows in the footsteps of the CCPA and GDPR, upfront disclosure of data collection will become a standard legal procedure.
In practice, this can have a range of implications for a company’s customer experience on- and offline, such as:
- A pop-up box for consent to cookies
- An opt-in screen before a user enters the purchase funnel
- Changes to the purchase experience in physical store locations that are passively collecting data on in-store customer behavior
Under CCPA law, some forms of personal information are protected that can’t be tied directly to an individual. To fully understand how this CCPA requirement could change the way a company does business, an in-depth audit will often be necessary.
Lastly, businesses and marketers collecting information on consumers need to be able to wipe out that information entirely upon request.
Not only that but in many cases, the business must be able to direct related service providers who utilize this info to wipe it also. It does not matter whether the data has been sold as part of a second-party set or shared as part of a service-delivery process; the requirement stands.
This obligation demonstrates businesses operating under CCPA jurisdiction have no choice but to end antiquated “data-silo” operations. Especially those that made ongoing alterations to a data store difficult and time-consuming. Businesses will have to ensure their partners and data clients have this same capability. They can be held liable for a partner’s failure to remove records from a database.
What are the Costs for Violating CCPA?
Of course, the CCPA couldn’t hope to be a compelling piece of privacy legislation without effective enforcement mechanisms to keep companies honest. What are the consequences for organizations that run afoul of their prescriptions? To put it straight, they can add up quickly.
A person, business, or service provider found in violation of the CCPA is subject to a court injunction. They are also liable for a civil penalty of up to $2,500 per unintentional violation and $7,500 per intentional violation.
The critical thing to remember is that for companies dealing with large amounts of personal data, violations likely won’t number in the tens, hundreds, or even thousands of customers. A systemic violation of CCPA provisions can quickly put a six-digit multiplier on the $2,500 or $7,500 fine.
For many SME’s, this could prove a high enough number to sink them entirely. That’s not all. Apart from civil liability, consumers can bring action of up to $750 per incident. Plus, the value of personal damages. A business failing to simply notify their consumers they’re collecting web data can quickly find themselves looking down the barrel of a damaging class-action civil suit.
In essence, the CCPA is a piece of legislation that takes data protection seriously. It has the enforcement clout to make businesses take it seriously too. The bill becomes the law of the land on January 1, 2020. Companies with a footprint in California have approximately six months as of the time of writing to ensure they’re not at risk for severe financial penalties.
First Steps: How Should Teams Prepare for the New Data Landscape?
Time to take action! What are the steps that teams should take now? Let’s examine some of the critical steps any business can take to prepare.
Conduct a Review of Existing Data Architecture.
If you’re a typical SME preparing for what lies ahead, your first step is to comprehensively review data operations. Prepare data maps, inventories, and other records to catalog. Include all points of collection, storage, retrieval, and exploitation of personal information relating to California-based consumers. Only through this exercise can a business accurately plan for the changes needed to be CCPA-compliant.
Consider more than California-only web/mobile/business models
For companies operating at a global scale, we recommend adopting a highest-common denominator approach to a full data architecture redesign. It future-proofs operations, saving time and money due to decreased need for bespoke solutions based on territory.
For companies with a smaller footprint; however, it may be worthwhile to examine building California-specific consumer experiences. Your SME can decide on the best business option by following the previously mentioned systematic audit of current data operations.
Ensure there are available online and offline methods for submitting Data Access Requests
The CCPA requires companies to consider their relationship with consumers. The CCPA mandates a toll-free number dedicated to submitting data access requests, so businesses ensure their intake system isn’t online-only.
Provide a Clear “Do Not Sell My Personal Information” Option on web properties
It’s another non-negotiable requirement of the CCPA. California citizens or those authorized to represent them must be able to designate that their data is not for sale. A user who selects this option can’t suffer a diminished experience if they don’t want their data sold. In contrast, the GDPR does allow companies to alter their experience if customers don’t want their data monetized.
Plan New Systems That Can Perform The Following Functions
- Verify the identity of individuals who request data access or data deletion
- Respond to requests for data access or deletion within 45 days
- Determine the age of a California resident. Companies must obtain parental consent for data collection for users under 13. If they don’t have a way to determine the user’s age, they can be held liable for disregarding this obligation.
If this seems like a significant amount of work, it’s because it is.
Since its inception, the Internet has been a relatively lawless environment regarding consumer protection. Now the days of the Internet as a Wild West are genuinely drawing to a close. Just like in the physical world, businesses that wish to profit must follow the rules or face the consequences. Luckily with the proper foresight and attention, CCPA compliance can be a straightforward exercise that doesn’t break the balance sheet.
Published from our Privacy Magazine – To read more, visit Privacy.dev