What is the California Consumer Privacy Act and How Does it Compare to GDPR?
Now that 2020 is underway, the California Consumer Privacy Act (CCPA) has gone into effect. Failure to comply with this new act could lead to heavy fines, which is why it’s important to learn more about this legislation and the changes your organization must make.
What is the California Consumer Privacy Act?
The CCPA, also known as “AB 375,” is intended to provide stronger consumer privacy, increase companies’ respect for privacy, and improve transparency around how companies are using peoples’ data. It marks the beginning of stricter U.S. consumer privacy protections and is one of the most sweeping acts of legislation enacted by any U.S. state.
Signed in 2018, this legislation is also known as the California Consumer Privacy Act of 2018. So, how is the CCPA different from existing U.S. privacy legislation? To start, the definition of personal information under the new law has changed. The new definition expands on what is considered personal information and introduces new privacy rights for Californians. For example, the right to know what personal information a business has collected about them, how the business uses and discloses that data, and the right to request that the business delete that information.
How will businesses be impacted by the California Consumer Privacy Act?
Despite its name highlighting the state of California, the CCPA will affect businesses beyond California’s border. It will also impact businesses and business activities that were not previously subject to privacy regulations.
The CCPA will apply to1:
- Any for-profit entity doing business in the state of California with a gross annual revenue over $25 million.
- Any entity that buys, receives for commercial purposes, sells or shares for commercial purposes personal information of 50,000 or more California consumers, households, or devices.
- Any entity that derives 50% or more of its annual revenue from selling California consumers’ personal information.
- Any entity that controls, or is controlled by, a business that meets the above criteria, and shares common branding with that business.
How does the California Consumer Privacy compare to GDPR?
The CCPA was modeled after the EU’s General Data Protection Regulation (GDPR)2. If your company is already complying with GDPR, you may find that you already meet many of the requirements in the CCPA.
What do companies need to do to be CCPA compliant?
The CCPA goes into effect January 1, 2020. To be CCPA compliant, the bare minimum you will need to do is provide a new privacy notice, establish a process for responding to consumer rights requests, and have a link to a “Do Not Sell My Personal Information” web-based opt-out tool.
To be CCPA complaint, your company must:
- Provide a page called “Do Not Sell My Personal Information” that allows California residents to opt-out of the sale of personal information. This page must be linked on the homepage and any web page where personal information is collected.
- Allow users to make the aforementioned request without having to create an account.
- Respect a consumer’s “do not to sell” decision for at least 12 months. After a year, the business can ask the consumer to allow the sale of personal information.
What is the definition of “sell” under CCPA and how will it impact lead generation?
One of the most challenging aspects of the CCPA for businesses may be complying with do-not-sell requests. Intended to protect its residents, Californians will be able to tell businesses not to sell their personal data. But, what does the legislation mean by “sell”?
The CCPA definition of “sell” essentially includes any transfer of personal information to another business or third party for “monetary or other valuable consideration3.” Knowing what data you are collecting and storing about each of your customers and what, if any, of that data is being sold to third parties will be critical for CCPA compliance.
What are the penalties for CCPA noncompliance?
Potential penalties for violating the CCPA include civil penalties of $2,500 for each violation, or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided. While the CCPA goes into effect in the new year, enforcement will be delayed until six months after the publication of the final regulations, or July 1, 2020, whichever is sooner.
Complying with CCPA
When GDPR came into effect, the regulations seemed irrelevant to U.S. businesses, and many hoped it would only impact organizations across the ocean. However, as security concerns continue to increase, data protection and regulations are the new reality around the world. With the signing of the CCPA, other states started taking notice and will soon be implementing their own privacy regulations. Becoming compliant can no longer be an organization’s plan for the future, meeting these regulations is a vital requirement for doing business and action must be taken today.