A Rundown of California Privacy Laws and Their Impact On Your Business
It seems like we hear about a new major data breach every few months…and that has many Americans running scared. The threat of personal information, like social security numbers, credit card numbers, passwords, and biometric data being bought, sold and stolen by unknown organizations is real. Historically, governmental protection and regulation regarding data security has been limited and insufficient. Until California residents decided to do something about it, introducing the groundbreaking California Privacy Laws.
The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. It is a widespread, pro-consumer legislation tightening usage rights and unauthorized trading in individual and household personal information.
And businesses across the country need to sit up and take notice.
The Prelude to California Privacy Laws
Data Breaches and Hackers
How did we get here?
We have all heard of the major data breaches over the past few years. Chances are, you or someone you know has been affected.
- Yahoo. 3 billion.
- Target. 110 million.
- Equifax. 143 million.
- Marriott. 500 million.
- Federal Government (OPM). 22 million.
- Ashley Madison (gasp!). 28 million.
The size and reputation of a company does not matter. All companies are susceptible. If anything, it may play an inverse role, making companies with large databases more attractive targets for hackers. With hundreds of millions of individuals exposed, consumers have developed an appropriately elevated sense of outrage and distrust.
In nearly all cases, hackers have been able to exploit holes and insufficiencies in corporate data security to access the personal information (PI) necessary to commit identity theft, fraudulent credit card charges and other criminal activities. Once PI like social security numbers has been stolen, individuals may be susceptible indefinitely.
Big Brother is Watching
The focus on data security and privacy is not just about hackers and illegal access to PI. In fact, almost every legitimate business collects, stores and analyzes their consumers’ personal data. And many of them sell this information — your information — to other companies.
Companies like Facebook, Google, Amazon, and Apple know almost everything about you, from demographics, to credit card information, to shopping habits, to personal preferences, to browsing history. Not only that, but consumers give them this information voluntarily. These companies are able to leverage your personal data to sell you products and services based on everything and anything happening in your life.
Pregnant? Bet you see tons of ads for strollers and baby products.
Moving? You are suddenly inundated with mortgage and lending ads.
Engaged? Hello jewelry stores, vacation destinations, banks, local vendors and more.
There is, however, a less talked about, but monstrous threat to data privacy. In fact, there is an entire industry based on collecting, storing, analyzing and selling consumer PI. Most people have never heard of them, or don’t realize what their hidden agenda is, but companies like Epsilon, 4LegalLeads.com, Oracle America Inc., Classmates.com and countless others make their money by trafficking consumer PI to other companies.
It’s like the wild west of the Internet.
Lawmakers in California are finally taking steps to regulate the usage of consumer data, expanding the consumers rights to control their own information.
How Does CCPA Protect Consumer Data?
Begun as a citizen-driven initiative in the California legislature, the CCPA is a California privacy law structured to provide transparency and control for consumers regarding how businesses are using their data.
The CCPA was passed on June 28, 2018 and will become in effect as of January 1, 2020. Lawmakers designed this new, formalized set of California privacy laws to guarantee consumers the following rights:
Transparency & Disclosure
- Consumers have the right to know all personal data collected
- Consumers have the right to know what categories of data will be collected.
- Businesses must inform consumers about data categories before and/or at the point of collection.
- Consumers must be notified of any changes to data collection
- Consumers have the right to know what third-parties will have access to personal data
- Consumers have the right to know what source provided their personal data
- Consumers have the right to know why a business is collecting their data
- Businesses must provide all requested information within 45 days of request, in a transferrable digital format or by mail.
Deletion & Non-Participation
- Businesses must delete all personal data collected from a consumer upon request
- Consumers may refuse to allow sale of their personal data
- Consumers must have ability to easily opt-out from having personal data sold
- Children under the age of 16 must opt-in before any personal information may be sold
Action
- Consumers have the right to pursue legal action against companies that breach personal data
What Type of Personal Data is Protected?
The new California Privacy laws go well beyond any current data privacy laws in the United States, and even in some cases beyond the EU’s GDPR laws. One of the biggest impacts of the CCPA is that it does not just protect obvious personal information, like name, credit cards, SSN, etc.
The CCPA, in Section 178.140(o)(1) defines “personal data” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The type of information this covers includes:
Identifiers
- Real Name or Alias
- Postal Address
- Unique Personal Identifier
- Online Identifier or Account Name
- IP Address
- Email Address
- Social Security Number
- Drivers License Number
- Passport Number
Commercial Information
- Personal Property Records
- Purchasing History
- Browsing History
- Cookies
- Click History
Other Data
- Geolocation Data
- Educational Information
- Employment Information
- Audio, Visual, Electronic, Thermal and Olfactory Data
Clearly, the California privacy laws are designed to be all consuming when it comes to data of any kind. However, the CCPA takes it another step by including information that is not just explicitly identifying, but also information that can be indirectly linked or associated with a person or household. Any information that can be used to infer who it is from is also covered under the CCPA.
This broad, yet vague language will likely be refined as years pass, requiring businesses looking to adhere to the CCPA to be flexible and constantly monitoring compliance.
Do California Privacy Laws Affect Your Business?
At present, the CCPA applies to businesses that meet all of the following qualifications:
- For-Profit Business
- Operate in California in any capacity (physical location, California tax ID, employees in CA, sell into the state, etc.)
- Collect consumer information or use collected information
- You, fully or in part, determine how and why collected information is used
In addition to the above checklist, if your business meets ANY of the below criteria:
- Exceeds $25 million in annual gross revenue
- Obtain more than 50K individual, household or device PI per year
- More than 50% of annual revenue comes from selling consumer personal data
Is Non-Compliance an Option
Hundreds of thousands of companies, if not more will be forced to adhere to CCPA. Admittedly, there will be a significant labor and budgetary cost associated with achieving compliance. Even if you don’t presently meet all of the qualifications, if you anticipate expanding or growing enough in the future to meet the location or revenue factors, it makes sense to become compliant now.
It’s honestly not worth discussing the risks of non-compliance for qualifying companies. Not only is the CCPA about to be the law, there are serious financial and reputational consequences if you don’t. ,
Data security makes big headlines nowadays. The California Attorney General and staff will be watching closely, and are legally allowed to fine non-compliant companies up to $7500 PER VIOLATION ($2500 if accidental). That means, if a list of 1,000,000 names is discovered in violation, the company could foreseeably owe $7,500,000,000.
In addition, consumers are now empowered to seek civil or class-action lawsuits, pursuing $100-$750 in damages per violation. All of these fines would put almost any small or medium company out of business.
CCPA vs GDPR
In case you haven’t been paying attention, the California privacy laws are not the first of their kind. The EU introduced the landmark GDPR (General Data Protection Regulation) in 2016. The CCPA and the GDPR have a lot in common, including a strict regulation of how businesses can interact and use consumer’s personal information.
Unfortunately, for businesses operating in California and the EU, if you are already GDPR compliant, you don’t get a free pass with the CCPA. While many of the requirements are similar, there are some distinct differences that will require additional legwork.
Here are some of the main differences between the CCPA and the GDPR:
GDPR
- Applies to all companies operating in the EU collecting, analyzing and processing personal data
- Applies to personal information of the individual
- Personal data must be tied to an individual explicitly
- Upon request, business must delete all data associated with consumer, including reasonable efforts to have third-party source delete data
- Must inform consumer of privacy rights at point of collection
- Must disclose information upon request to consumers
- Data history timeline is unspecified
- Disclosure must be provided in common, easily read electronic format if request made electronically
CCPA
- Applies to companies collecting, processing, analyzing and selling data
- Applies to personal information of individuals AND households
- All data, including indirect or data potentially associated with a consumer or household falls under coverage
- Upon request, business must delete data collected directly from consumer. (Does not apply to data collected from third-party.)
- Must inform consumer of privacy rights at or before point of collection
- Must disclose information within 45 days of request.
- Responsible for disclosing up to 12 months of data upon request (beginning January 2019)
- Disclosure must be either mail or in a easily used electronic format
- Must provide clear link labeled “Do Not Sell My Personal Information”, linking to a dedicated web page that does not require any registration
- To sell PI for children under 16, they must opt-in
Effects of California Privacy Laws on Businesses in United States
CCPA in the Short Term
In six months, CCPA will be here. Not only that, the CCPA will require 12 months of data to be provided upon request — which means all 2019 data will be subject to CCPA regulations.
This means, if you haven’t already started working on CCPA compliance, your company needs to hustle.
There are numerous immediate implications of the CCPA on businesses and how they operate. Here are a few of them.
45 Days to Respond
Upon a verified consumer request for disclosure, businesses have a maximum of 45 days to respond. Your business not only needs to have all of this information easily accessible, but it needs the right information.
The type of information that you need to disclose depends upon your role in the personal information pipeline. If you collect personal information directly from consumers, your company must disclose the exact information collected, as well as any categories collected. You must also confirm that you will delete any information upon request.
If you collected consumer information from a third-party, you have additional disclosure obligations. In addition to the specific personal information that you collected and applicable categories, you must also disclose where you got the PI from and why you wanted it. You also need to disclose the business category of any third-party you share their information with.
Lastly, if your business sells or shares consumer PI, you must disclose the categories of information that you collected or sold, the category of any entity that you sold the information to, as well as category of information that you sold for a business purpose.
There are a lot of moving parts to this data, all of which you need to have accessible at any point in time.
Data Tracking
To operate in personal information in California, you are accountable for the entire chain of control. You must know where it came from and how it was obtained. You must know where you store it, how you process it, and what you are doing with it. And you must know where it goes once you share it, and what the recipient is doing with it.
This type of data storage, organization and tracking is onerous and complex. Companies must take ownership over the data they are using and ensure that it was collected, processed and used responsibly. All tracking information must be attached to every single data entry for the lifetime of the information.
In addition, the requirements may evolve as time goes by, so companies must be flexible and constantly working on their data security protocols and compliance.
In order to meet these requirements, many companies are hiring dedicated data security teams or outsourcing their database privacy needs to industry experts.
Ownership of Data Stream
More than ever, companies are having to partner with companies they trust. If your company is involved at any point along the path of a PI violation, you are liable. As a result, responsible companies are renegotiating contracts with clients, vendors and data sources to ensure compliance to California privacy laws throughout the data chain.
Long Term Impact of CCPA
While the California privacy laws may be the first of their kind in the United States, other states may soon follow. Vermont, South Carolina and New York have made steps towards data privacy regulation. In fact, at least 15 other states have introduced data privacy legislation. The federal government also has similar proposals under consideration.
Everything discussed here so far directly relates to the data itself, and how businesses will be able to collect, process and sell consumers’ personal information in the future. But the implications of the CCPA extend even further, affecting operations, training, marketing, and even how you build your website.
Stay tuned as we delve further into the marketing and website ramifications of CCPA in our Impacts of the CCPA blog series.
In the meantime, take a careful look at your business and how it operates. If you meet any of the qualifications outlined above, the time to upgrade your website is now. If you are unsure, we can help walk you through the process.
Talk to one of the qualified website design and development experts at CMDS to understand how you can make your website CCPA compliant before it’s too late. Give us a call at 732-706-5555 or contact us through our website.
Other Relevant Articles
Ensuring Website Compliance With CCPA
CCPA Marketing & Your Brand Under New Privacy Laws