California data privacy is a hot topic today as 2018 California state legislation went into effect in 2020. Many companies want to know if the California Consumer Privacy Act (CCPA) applies to them. And if so, they want to know what – if anything – they need to change to become CCPA compliant.
The California Data Privacy Act is by no means a federal law, though its effects have international implications. When examining the difference between the CCPA and federal privacy laws, the reality is that California’s privacy laws are much more exhaustive than are national consumer protection laws.
In this extensive guide, we’ll discuss what the CCPA means for businesses that collect, use, buy, sell, and share consumer information. After extrapolating the details of the CCPA, we’ll compare these standards against the backdrop of federal laws and other data privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR).
What is the California Data Privacy Act?
The California Consumer Privacy Act (CCPA) is the most extensive data privacy law in the United States to date. Also known as the California Data Privacy Act, it is setting the pace for data privacy reform across North America.
Though passed in 2018, the law went into effect on January 1, 2020. The two-year grace period gave legislators time to amend the guidelines where necessary and applicable businesses time to meet CCPA guidelines.
The purpose of the CCPA is to protect consumers against having their personal information used in ways that they don’t approve of. Additionally, the law further prevents consumer discrimination based on the data – such as race, religion, disability status, etc. – a business may have about that consumer.
Consumers may request access to personal data, disclosures, and enjoy stricter opt-in rights with those organizations with whom they’ve chosen to do business.
To Whom Does the California Consumer Privacy Act Apply?
The CCPA applies to certain businesses that operate – remotely or personally – within the state of California. These for-profit businesses that must abide by the California Data Privacy Act are those that actively collect consumer personal information and meet one of the following criteria:
- Earnings before interest and taxes (EBIT) meet or exceed $25 million annually
- Generate at least half of their earnings from selling consumer data
- Engages in transactions based on the buying, selling, sharing, or collecting of information from at least 50,000 consumers/devices
That means that data-gathering apps downloaded in the state of California must be CCPA-compliant. Additionally, most brokers, financial advisors, and healthcare specialists with clients in California must adhere to these new standards.
What is Included in the California Data Privacy Act?
The first notable portion of the CCPA defines two things:
- Who is a protected consumer? Protected consumers in the CCPA are California residents.
- What is personal information? Personal information, or personally identifiable information (PII), is any data that assists an individual or application in identifying a consumer or that consumer’s household and family.
To be clear, the CCPA does not forbid the collection and use of PII. Instead, it regulates the circumstances under which businesses can use that data. More importantly, it gives consumers more control over how an organization they do business with may use their information.
“A consumer shall have the right to request that a business that collects a consumer’s personal information and disclose to that consumer the categories and specific pieces of personal information the business has collected.” CCPA, § 1798.100(a)
The California Data Privacy Act insists that businesses using personal information be fully transparent with the consumers who’ve volunteered – directly or indirectly – their information. In theory, these new laws will hold businesses more accountable. At the same time, it helps consumers grow more accustomed to the fact that their activity naturally incentivizes the collection, study, and sharing of personal information. The CCPA grants consumers more rights and autonomy to know how businesses collect and use personal information to scale their business and better serve the customer.
Does the California Data Privacy Act Apply to You if You Don’t do Business in California?
The simple answer is No – your business is technically exempt if you do not serve customers that are also California residents. However, the more complicated answer is that many states are following California’s lead. Additionally, the CCPA has motivated federal policymakers in DC to enact more robust consumer data compliance standards.
Lastly, the California consumer base represents a sizable portion of North American spending. If your business overflows into other states, it may be difficult to refuse business from California residents simply because you’ve chosen not to comply with the California Data Privacy Act.
Between the CCPA and the GDPR, most businesses utilizing consumer information have chosen to become compliant under both sets of guidelines. Not only do these companies want to grow their business, but they also want to decrease their liability and protect consumer data from being lost or stolen.
Are CCPA and EU GDPR Compliance Standards the Same?
No, the CCPA and General Data Protection Regulation (GDPR) are not identical. There are some critical differences.
In many ways, the California Data Privacy Act takes action beyond the European Union’s GDPR. For example, the GDPR’s definition of personal information is less strict. Specifically, the CCPA labels “inferences” or “probabilistic identifiers” as personal information under which the laws apply. California’s standards even apply to an individual’s Internet and shopping activity.
Other ways in which the CCPA exceeds the scope of the GDPR include:
- Rather than merely protecting individuals (GDPR), the CCPA extends protection to households and families. On this point, the GDPR refers to “personal data,” while the CCPA uses the term “personal information.” These minor definition differences significantly affect how agencies enforce the law in their respective governing areas.
- Businesses must offer more clear opt-in/opt-out options as they pertain to using and selling personal information.
- The CCPA allows consumers to demand access reports showing what data businesses are using and how those businesses are using it.
- California consumers have broader “right to delete” privileges, particularly when it comes to data that the consumer volunteered to the business.
That said, the GDPR does also have standards that are stricter than the CCPA. For example, consumers have fewer private rights to action restrictions. That means that a consumer can file a lawsuit against a company in violation of the GDPR more easily. Also, the GDPR imposes heavier financial penalties on non-compliant businesses than does the California Data Privacy Act.
Thankfully, businesses that achieve compliance under one standard do enjoy some overlap when seeking compliance under the other standard. That’s why it’s much easier to achieve CCPA compliance once you’re GDPR compliant, and vice versa.
What Happens If You Violate the CCPA?
Any organization that does business in California and is not found CCPA compliant suffers several consequences, not the least of which is paying damages in a civil lawsuit. That said, non-compliant businesses could lose much more.
Legal repercussions include as much as $750 in damages for every instance in which your organization violated CCPA regulations. Additionally, California may fine you up to $2,500 per unintentional violation. If you’ve operated in California (personally or remotely) for some time without ensuring that your operations are CCPA-compliant, you could end up with a sizable number of violations. Under such circumstances, damages and fines could amount to hundreds of thousands of dollars.
Under the CCPA, violators must resolve their non-compliance within 30 days or risk additional penalties for $2,500-7,500 per incident. Naturally, the amount owed in damages and fines varies based on how egregiously a company’s actions or inactions disregarded the California Data Privacy Act.
In addition to legal consequences, non-compliant companies suffer enormous embarrassment. Reputation damage results in lost trust, employee turnover, and client churn. By violating the CCPA, intentionally or unintentionally, you’re likely to endure poor reviews and professional “black-listing.”
The costs of violating the CCPA continue through ongoing penance projects, legal assistance, and rising insurance premiums. Should one client file a claim against you in California, it could cause many more to do the same.
Needless to say, ignoring the California Data Privacy Act is a major liability. Even large tech companies are adjusting their data use to remain CCPA compliant. In most cases, oblivious small and medium-sized business owners stand most at risk of neglecting these exhaustive data privacy changes and facing prosecution.
What are Federal Regulations Pertaining to Consumer and Data Privacy?
Alarmingly for consumers, there is no clear set of consumer and data privacy laws on the United States federal level. However, that is likely to change drastically over the next five to ten years. That said, there are still many clear, federal statutes that specifically address data privacy.
Currently, the Federal Trade Commission (FTC) may hold businesses accountable who mislead consumers about how their information is collected, used, bought, sold, or shared. The key verbiage is “deceptive practices.” Federal agencies, like the FTC, may prosecute an organization that claims to follow certain compliance standards but fails to meet those standards in practice.
Perhaps the most important federal laws on consumer and privacy data hold companies responsible for promising a certain level of privacy – or anonymity – and then breaking those promises. Whether in a legally-binding contract or on promotional materials – including a company website – the FTC insists that companies practice integrity and face consequences for failing to do so.
How is the CCPA Influencing Consumer Privacy Across the United States?
Since the proliferation of content aggregators and social media, many consumers and industry experts have demanded greater accountability for organizations collecting and using personal data. The CCPA represents a milestone for data privacy in the United States.
As a result, federal lawmakers are in the process of instituting regulations similar to those outlined in the California Data Privacy Act. Before the CCPA, Delaware had the strictest consumer privacy laws in the country. Many states are trying to draft and pass more extensive consumer privacy laws, and they are using the CCPA as a model for ongoing data privacy legislation.
What Does It Take to Become CCPA Compliant?
The first major consideration when seeking to be CCPA compliant is how your team will manage consumer inquiries. Under the California Privacy Act, residents have the right to know what personal information you gathered – or have access to – and how your company uses that information.
Under most circumstances, the CCPA requires businesses to provide direct lines for consumer data access and disclosure requests. Additionally, you may need to add web pages and online request capabilities to your owned media channels to receive and fulfill consumer access requests. By implication, businesses that make it difficult for California consumers to exercise their rights violate the CCPA and have 30 days to rectify the issue before the California Attorney General (or resident plaintiff) takes legal action.
Another consideration is knowing how your business collects and uses consumer information. Unfortunately, too many operations neglect to maintain clear data mapping. Without data maps, you don’t know what data you have, where it is, and where you may have sent it.
By establishing data maps, organizations can track not just what information they’re using, but also how they’ve acquired the information they have and where they’ve stored and shared it. Additionally, data maps help businesses focus on the process of collecting and using consumer data. After understanding the process, they can ensure the safety of those processes and pass audits more efficiently.
The idea of process relates closely to consumer data policy. Since the CCPA requires companies to provide full disclosures, they must craft and abide by policies that meet CCPA guidelines.
After building those policies, decision-makers must then train their employees and update their infrastructure to comply with their policies. As the organizational learning curve flattens over time, company teams will feel comfortable verifying and processing consumer requests per consumer rights under the California Data Privacy Act of 2018.
Lastly, your business needs to demonstrate a reliable system for meeting deletion requests promptly. This system should include recording deletion requests and producing proof that the proper personnel followed through on that request.
Recap: How Does CCPA Differ from Federal Regulations?
In short, the California Data Privacy Act represents the most impressive batch of consumer protection laws in the history of the United States. Like the European Union’s GDPR, the CCPA is forcing many businesses to become compliant or face harsh consequences.
RSI Security exists to help businesses of all sizes establish and maintain compliance standards, such as those outlined in the CCPA. If you’re not sure whether your business is CCPA compliant, contact one of our agents today.