Whether you see it as an opportunity, a burden, or just basic consumer protection, the California Consumer Protection Act (CCPA) became law January 1, 2020. Despite significant lobbying from Silicon Valley, this landmark privacy law means Californians and all companies doing business in the state, the most sweeping set of new privacy regulations since GDPR. According to the law, the California Attorney General “shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020.” Thus, it isimportant to watch developments as the AG moves toward enforcement.
The CCPA pushes the U.S. closer to global privacy norms that will limit American companies’ commodification of consumer data. Some believe the lack of laws like CCPA actually set the stage for data catastrophes such as Facebook’s Cambridge Analytica scandal to the Equifax data breach.
To ensure that you and your business are up to speed with this upcoming, groundbreaking law, we’ve compiled a round-up of key facts:
Who Must Comply with CCPA?
The CCPA is a state law that applies to the following:
- Companies that do business in California
- Out-of-state merchants who sell to California
- Websites that are displayed in the state of California
For most companies, complying with the CCPA to protect themselves and their consumers makes more sense than avoiding trading in California – the world’s fifth-largest economy.
The law focuses on larger companies – or SMBs with large databases – it applies only to the following:
- Companies with more than $25 million in gross revenue
- Companies with data on more than 50,000 consumers
- Companies that make more than 50% of their income selling consumer data
What Is CCPA?
Under CCPA, consumers can demand that CCPA-regulated entities disclose the specific personal data it collects about them. Companies must disclose more upfront about what data they collect and how they intend to use it. Additionally, Americans can also demand that all personal data collected by a company be deleted, and it forbids the company from sharing the data with third parties. For retailers like Walmart and tech giants like Amazon, Facebook, and Google, the new law will severely impact the way they manage data and conduct business.
What Data Can Consumers Request To Delete?
Thanks to website and apps, many companies have more than just your name, phone number, and email address. Websites and apps can track where you go, what you buy, and what you’re looking at online. Because of this, many companies have created detailed profiles of each of their consumers. Within the CCPA, there is a list of personal data that a company must disclose and delete upon request. The list includes the following:
- Biometrics – fingerprints, facial recognition, voice patterns, etc.
- Purchasing history as well as considered purchasing history
- Internet browsing information
- Academic and employment information
- Geolocation data
CCPA – Kind of A Big Deal…?
To date, data management has been more of an ethical opt-in scenario for companies. Under CCPA, if a subject company is hacked – like in the case of Equifax – or uses your data in an unethical way – like with Facebook and some third-party marketers – regulators will penalize and monitor data breaches and mismanagement.
However, the jury’s out on whether or not CCPA will truly make a difference.
“Our view is that this is a disaster of a law because it scares the bejesus out of businesses and costs them a ton of money in compliance,” Jay Edelson, who runs one of the country’s most prominent privacy class action firms, told Fortune magazine. “But to us, it’s totally toothless.”
There is a major concern that the California AG’s office lacks the resources to enforce the law.
What Happens If A Company Does Not Comply With CCPA?
For companies that do not comply with the CCPA, they will be fined. Fines are broken down in the following way:
- International violations can be fined up to $7500 but rely on California’s Attorney General to enforce this.
- Individual consumers can sue for up to $750 if a company is careless and gets hacked.
The California Consumer Privacy Act is intended to enhance privacy rights and consumer protection for residents of California – which is an excellent practice for all companies, regardless of regulatory pressures. As the pioneer state adopting this type of law, California could become a model for other states around the nation. While the scope and reach of CCPA are starting somewhat narrow, this is a solid signal to develop new strategies, policies, and procedures to ensure customers and their private data is protected.
Elevated has a long history of working with companies in heavily-regulated industries. Contact us today for a free marketing assessment.