July 1 will mark a new era for data privacy, with enforcement of the California Consumer Privacy Act (CCPA) scheduled to begin.
The CCPA has arrived with little of the fanfare that greeted the EU’s General Data Protection Regulation (GDPR) in 2018. GDPR was headline news for months, and European companies of all shapes and sizes took notice in the rush to become compliant.
Of course, the CCPA’s relatively low profile in Europe makes sense, with businesses so focused on their responses to COVID-19.
And, after all, it is a piece of state-level legislation, not even prescribed at the federal level.
Your natural reaction could be: We’ve already got the GDPR, so why should we care about another piece of data regulation?
Unfortunately, you do need to pay attention to the CCPA. And I’m here to explain why.
Who is affected by CCPA?
Don’t be fooled by the name: The reach of the CCPA extends far beyond Californian state lines. Let’s get the nitty gritty out the way and define who the law really affects.
At a basic level, you need to worry about CCPA if your company:
- Does business in California
- Collects personal information of consumers that are California residents
and satisfies at least one of the following criteria:
- Buys, receives, sells or shares the personal information of at least 50,000 California residents, households or devices
- Has an annual gross revenue of over $25,000,000
- Derives more than 50% of your annual revenue from selling the personal information of Californians
Phew, you might be thinking! Well, I wouldn’t stop reading just yet. Unhelpfully, CCPA doesn’t clearly define what ‘doing business’ in California actually means.
However, what is clear is that you don’t need to have offices or employees in California to be considered to be doing business there. Simply having users or customers in the state could be considered sufficient.
In this digital-first world, businesses are often international from day one, and it is likely that your business interacts with more Californians than you think.
After all, there are 40 million of them, and the state’s economy is the fifth largest in the world (bigger than the UK’s!).
The concept of ‘selling personal information’ is perhaps CCPA’s biggest grey area.
Importantly, under CCPA ‘selling personal information’ doesn’t necessarily involve making a payment, and could also refer to actions such as ‘disseminating’ ‘making available’ and ‘transferring’ data.
Under the CCPA’s broad definitions, even online advertising — something which almost every business does — can be considered ‘selling’ if it involves the sharing of cookies to track behaviour online.
Although the CCPA’s definitions are somewhat unclear, it would be rash to assume that the law will not impact businesses based in Europe.
CCPA sits on moving plates
You also should not assume that because your business is GDPR-compliant, that it is automatically CCPA-compliant. GDPR and the CCPA have many similarities, but there are also major differences and it is important that your business understands them.
In addition, the CCPA is not without its weaknesses. It was pulled together quickly without consulting key stakeholders, and its short history has been defined by ambiguity.
Plans for the GDPR were in the works years before it finally came into effect and it had been scrutinised at length. By contrast, the CCPA was signed into law in 2018 just months after it was first put forward by a private group of consumer advocates.
The State Legislature scrambled to pass it before it could do so via ballot initiative, which would have made it part of the state constitution, and therefore very difficult to amend or update.
As a result, a number of key details are yet to be finalized by Californian Attorney General Xavier Becerra. This has led to an unusual state of affairs where there is a law that companies need to comply with, and yet they do not know exactly what compliance actually looks like.
With enforcement scheduled to kick off in July, the penalties could be crippling for businesses. The fine for unintentional violations will be $2,500. Crucially, that’s per violation. So if you failed to comply for 1,000 Californians, the penalty would be $2.5 million (about €2.3 million or £1.9 million). Clearly, with fines of that level, non-compliance is not a viable option for most businesses.
There has been some pressure on Xavier Becerra to extend the deadline for compliance due to COVID-19.
But at present, the Attorney General’s Office remains committed to the original deadline, even circulating a reminder to residents of their new online rights.
As more and more people do everyday tasks like grocery shopping online, it would seem that Becerra is determined that their data is protected.
Your company needs to get prepared now.
Three steps to prepare your business for CCPA
Data legislation is highly complex by nature and you might be worrying how you can even start to prepare at a time when time and budgets are tighter than ever. Here are three steps any organisation can take right now:
- Understand what data you are collecting
The first step for any business is to make sure you understand what data you are collecting. Most GDPR-compliant businesses will have already conducted a data mapping exercise. It’s important to repeat this for the CCPA, though make sure you build on the work you’ll already have done around GDPR where possible. This exercise can help you understand where you must comply with the CCPA and will determine any actions you need to take.
- Prioritize compliance
Even if budgets are tight, it is important that your business prioritizes CCPA compliance because the penalties can quickly become vast. Put in place processes to honour consumer rights and requests, where necessary. Remember, this should include examining all of the vendors and suppliers you work with – you could be vulnerable to penalties through them!
Looking forward, it is worth paying attention to America’s broader privacy landscape. Other states are now set to introduce their own privacy laws, and country-wide federal legislation could also be on the way. In addition, the CCPA itself is changing and could be re-worked as soon as November. The original CCPA advocacy group has put forward another proposition: the California Privacy Rights and Enforcement Act or ‘CCPA 2.0’.
To conclude — whatever you do, don’t make assumptions about CCPA.
Don’t assume it doesn’t apply to you or that the disruption caused by COVID-19 will mean the enforcement deadline is pushed back.
And, most of all, don’t assume that because of the groundwork your company did for GDPR you’re safe from CCPA penalties.