by Jenna Tsui
On January 1, 2020, the California Consumer Privacy Act (CCPA) goes into effect, making California the first state in the U.S. with a comprehensive privacy law.
There’s a lot at stake for Californians and, potentially, for consumers all across America. Under the new law, a business must abide by the CCPA if it collects customer data, operates in California and satisfies at least one of these thresholds:
- Gets 50% or more of its annual revenue from selling customers’ information
- Buys, sells or shares the personal data of at least 50,000 Californians for commercial purposes
- Has annual gross revenues of at least $25 million
The bottom line is that businesses all around the country – including most of the tech giants – will be forced to abide by the law, regardless of where they’re headquartered. And some may adopt the California standard nationally. Microsoft, for example, has already announced that it will honor California’s new privacy rights for customers throughout the United States.
Why Privacy Matters
Driving this concern about privacy is the reality that in many everyday activities, people give up their data frequently and willingly. But such openness is not without consequences. Sharing data freely means many people receive online content from companies they’ve never heard of, and those firms seem to know all about them.
Moreover, large-scale incidents involving stolen and misused data are increasingly in the headlines, prompting growing concern about data privacy. Stolen data can end up on the dark web, where it can be bought and used to impersonate someone while applying for a loan or a credit card, for example. In July 2019, Capital One suffered a data breach that affected more than 100 million people. Breaches involving medical data are a particular concern: by some estimates, nearly 32 million health records in the U.S. were exposed in the first half of 2019 —more than double the number for all of 2018
Privacy breaches have become so problematic in some places, many people don’t realize the United Nations recognizes privacy as a guaranteed human right. Many countries also explicitly recognize privacy in their constitutions.
Could privacy become a competitive advantage for responsible businesses? There are some signs that consumers may be starting to scrutinize and shun companies that don’t manage data responsibly. A survey by the Pew Research Center indicates the majority of Americans have concerns about how companies use their data, and that they have little or no knowledge of what firms do with the information once they have it. Another recent study showed 81% of people would stop engaging with brands online if those companies experienced data breaches.
Incidents that affect user privacy or make people feel their information is unsafe can damage a company’s reputation and foster an ongoing poor public perception. Privacy breaches can also result in lawsuits, regulatory sanctions and fines. In July 2019, the Federal Trade Commission fined Facebook about $5 billion for mishandling users’ personal information.
California Seeks to Change Things in the U.S.
Given these concerns about privacy, it may be surprising that the United States does not have a national privacy law. While there have been proposals in Congress, the outlook for federal legislation is uncertain.
By comparison, in the European Union, the General Data Protection Regulation (GDPR) went into effect in May 2018 for all companies doing business in the EU or communicating with customers who live there. The GDPR’s extensive regulations require that companies obtain consent for users’ data, provide details about what data they have and how they use it, and give timely notifications about data breaches.
While California will be the first in the U.S. with its own privacy law, other states are considering legislation. That’s a concern for many companies with customers nationally, who worry about having to contend with a patchwork of varying state privacy laws.
The text of California’s CCPA considers personal information to be anything that describes, relates to, identifies or could directly or indirectly tie to an individual or household. That includes things basic personal information, such as names and addresses, but it extends to additional information such as biometric and geolocation data.
Under the CCPA, data collection happens when a company obtains information about a customer through any means. No matter if a company buys the information or gets it directly from a customer, that information is covered by the CCPA. The new law also applies to both actively and passively collected content.
The CCPA provides consumers with several new rights they can exercise. Those include:
- The right to request that a company disclose all the categories and specific pieces of information it has about them
- The right to become informed at or before the time of information collection regarding which categories of personal data a business collects and why
- The right to know which third parties a business shares information with
- The right to opt out of a situation whereby their information gets sold to a third party
- The right to request that a company deletes the information it collected about a consumer
- The right to receive equal services and prices
Some timeframes factor into the CCPA, too. For example, if a customer “opts out” of having their data sold by a business to a third party, the business can ask them to opt back in, but only after at least a year passes.
One reason a consumer might exercise their right to know which data a company holds about them is if correspondence from that firm contains information that the customer does not think the enterprise should have. Or, a consumer may want precise information about whether their data reaches third-party companies after the initial data collector possesses it.
Challenges Associated With the CCPA
A variety of factors may make it difficult for companies to comply with the CCPA. For example, if a company meets at least one of the thresholds that necessitate compliance, but has a small staff or lacks financial resources, full compliance with the law could be a challenge.. Additionally, if a company works with many third-party companies, it may be time-consuming to get everyone on the same page about what the CCPA requires.
Business representatives may also find their companies struggling to meet the legal deadline if they have not yet started their preparations. The law comes into effect in just about a month, and implementation may not be as straightforward as some enterprises anticipate.
The civil penalties associated with the CCPA can be severe – up to $2,500 per violation. Plus, if the violations are intentional, the amount increases to $7,500 per violation. Offending companies have a 30-day window in which to fix any cited problems.
Getting ready for the CCPA is a collective effort. Companies have some first steps they should take to prepare for compliance. Those include conducting a readiness assessment and determining whether existing data collection practices match what the CCPA mandates. If they don’t, companies need to move forward with proactive changes and ensure each employee understands how the CCPA impacts them and their job responsibilities.
The CCPA requirements cannot take effect overnight. Even if compliance becomes an initial burden for some businesses, they should still view the mandates as reasonable. After all, many of the requirements directly relate to handling data responsibly — which companies should be doing already.
Jenna Tsui is an environmental and tech journalist from Texas. With a degree in IT and a passion for sustainability, she often writes about the intersection of the two subjects. She also co-owns The Byte Beat blog and writes for sites like Blue & Green Tomorrow, Green Journal, and Triple Pundit. Check out her work on TBB or follow her on Twitter @jenna_tsui