The California Consumer Privacy Act of 2018 is a new law that will have wide-ranging impacts on how businesses everywhere (regardless of whether they’re based in California or not) interact with their online customers.
The act, known as CCPA, is set to take effect January 1, 2020. The CCPA regulates how companies handle data breaches, Personally Identifiable Information (PII), the sale of data to third parties, and consumer requests to review and delete the data. Companies who do business in California should invest now in technology to help them tackle new logistical challenges brought on by the law. Those who fail to comply—either intentionally or unintentionally—will face steep fines and consumer lawsuits that could add up to millions in losses.
Which companies must comply with CCPA?
A company that interacts with Californian consumers must meet one or more of the following criteria to be subject to CCPA regulations:
- Gross at least $25 million in revenue annually;
- Obtain personal information of 50,000 or more California residents, households or devices annually; or
- Receive 50% or more of their annual revenue from selling California residents’ PII.
Parent companies, subsidiaries and affiliates under the same branding are considered one “business” in the CCPA even if they do not meet the criteria above independently.
What does CCPA compliance look like?
To comply with CCPA, qualifying companies must:
- Notify existing and potential customers about what data will be collected and allow them to opt out. This opt-out notice is required each time data from a new information “category” is collected. Picture this as a popup or form on your website that explains what information will be collected and options to opt in or out. A business that collects consumer’s personal information needs to include the reason for why each category of PII will be used. A business cannot collect additional categories of PII or use PII for additional purposes without notifying consumers.
- Process and honor requests to provide and delete copies of a consumer’s PII, which can include but is not limited to: Real name, alias, postal address, unique personal identifier, online identifier, cookies, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. PII also includes browsing history, search history, geolocation and information regarding a consumer’s interaction with a website or advertisement. Consumers must be able to make these requests via a toll-free number or website process. They can request information about PII collected in the last 12 months. When a consumer requests this data, the business must tell them from which categories and source their PII was collected, the business’ reason for collecting and selling the PII, and the categories of third-parties to which the business shares/sells PII.
- If consumers’ PII requests are deemed excessive and repetitive, the business can charge a reasonable fee to help offset the administrative costs of complying with the request. Businesses are also able to refuse requests on the grounds of them being excessive. But the business will bear the burden of demonstrating that any verified consumer request is “excessive.”
What will happen if a business doesn’t comply?
Businesses that do not comply may face civil action lawsuits and state-levied fines. There are varying levels of actions that can be taken by California and consumers.
State-levied fines come in two varieties: $2,500 per unintentional violation and a $7,500 per intentional violation. If a business regularly handles thousands of pieces of PII or more, there’s significant financial risk here.
There could be a bigger threat, though: According to Security Now, an online publication about information security, the CCPA clearly grants people the right to bring lawsuits for the breach of their “non-encrypted or non-redacted personal information” even without proof of actual damage. They can recover between $100 and $750 per incident or more if they can prove actual damages exceeding $750.
While the per-incident amounts are not high, they could quickly add up if consumers are regularly filing them or if a class-action suit is filed.
What can companies do to prepare?
To process the large volume of requests related to PII, companies should consider refining how they organize, access, and track data and notify website visitors about what data they’ll be collecting and why.
If you’re at a company that qualifies for CCPA regulation, consider implementing the following technology solutions to reduce future operational headaches:
- Streamlining opt-in and opt-out processes on your website. Make the processes as clear as possible for users. It’s important to note that there is a mandatory opt-in requirement if your company sells PII of California minors who are under 16 years old. Practically, this means deploying a notification/alert/popup system on your website that’s smart enough to determine if a visitor should have the opt-in/opt-out options, which PII they need to be notified about, and to collect their response and adjust other functions of your website or web application accordingly.
- Consider how you’ll respond to and process consumer requests to access their PII in a timely fashion. How will you locate and delete select PII records after a consumer requests it? You have to tell the consumer what PII of theirs you have and remove it within 45 days unless the scale of the consumer request requires a longer window. That’s not a lot of time, especially if you’ve got a backlog of requests piling up. Your approach should be organized and methodical. Consider implementing a tool in your site’s back-end that allows a designated staffer to review a queue of consumer requests, accept or reject them according to CCPA stipulations, easily locate the requested PII, and automatically send it to the requester before deleting it from your database. This system will also allow you to easily maintain a log of all requests and subsequent actions for auditing purposes.
- Are you able to easily determine exactly who you’ve sold a piece of PII to? Can you filter purchasers of the PII you’ve collected by category? Consumers will have the right to request this type of information from you, and by law you’ll need to respond to them with detailed information within a short timeframe. Unless you already have a robust tool for filtering, searching, and organizing the PII you collect through your website, sales process, or web application, now is the time to invest in one.
Writing on the wall
California is taking the lead on personal information and privacy sharing. The implementation of the CCPA could potentially be a catalyst to a larger initiative on the federal level that all states must comply with. Future-looking business will prepare as if that’s the case.
Please also note that The CCPA is a new act and could evolve substantially prior to implementation in early January 2020. Please subscribe to our Talk Nerdy To Me Blog to follow updates regarding the CCPA and how it will affect your business.
Disclaimer: This notice is meant to provide you with initial information regarding recent regulations and developments; this should not be construed as legal advice or a solicitation. Speak with your Legal Counsel to verify that your business does, or does not need to comply with the California Consumer Privacy Act of 2018 (CCPA).