The California Consumer Privacy Act: What You Need to Know
Recently, consumers have become more aware of how little control they have over their data. A series of data disasters, such as Facebook’s Cambridge Analytica scandal and the massive Equifax breach, have left many Americans feeling powerless. Under the CCPA, Americans (well, Californians mostly) move a step closer to general privacy protection. However, the act only targets larger companies or those with large data use, so there is still a long way to go. The state of California is often at the forefront of new forms of legislation and the CCPA has prompted other states to consider their own privacy laws, some of which have already passed. The law is often compared to the European Union’s General Data Protection Regulation, currently the benchmark for online privacy. Here’s what you need to know about CCPA and how it will affect you.
What Is the CCPA?
In late June 2018, California passed a consumer privacy act, AB 375. The California Consumer Privacy Act or the CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, businesses will be required to comply with official consumer requests to delete that data. Consumers can also opt-out of their data being sold and businesses can’t retaliate by changing the price or level of service. If privacy guidelines are violated by companies, this law allows consumers to sue them, even if there is no breach. The company will also face heavy fines. It has been a year and a half later since the CCPA was signed, but it officially took effect on January 1, 2020, and enforcement begins on July 1, 2020. The fact that CCPA became law, and so quickly, speaks to its widespread support and the pressure to take action.
Who Does the CCPA Affect?
Under the CCPA, all companies that serve California residents and have at least $25 million in annual revenue must comply with this law. Also, companies that have personal data on at least 50,000 people, no matter the size of the company. If a company collects more than half of its revenues from the sale of personal data also falls under the law. Companies can be based anywhere, not just California. It is important to know that companies both inside and outside of California will be affected by its requirements. They don’t even have to be based in the United States. However, an amendment made in April exempts “insurance institutions, agents, and support organizations” as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).
CCPA and Security
As stated earlier, the law does define penalties for companies that expose consumer data due to a breach or a security lapse. Businesses are not required to report breaches, but consumers must file complaints before fines are possible. Companies need to understand what data is considered private data and take steps to secure it. “Controlling the privacy and personal information that flows between machines is incredibly difficult, and a major challenge for all businesses,” says Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi. Most companies are going to have trouble pulling that information together because the amount of data large firms collect is already massive and continues to grow. The data is contained in multiple storage platforms and once a consumer places an access request, a company has 45 days to provide them with a comprehensive report about what type of information they have, whether it was sold, and to whom they sold it.
What if I Don’t Live in California?
Even if you may not live in California as a consumer, this law will definitely affect you. While you won’t enjoy the right to opt-out of the sale of your data or ask companies to delete it, you’ll learn more about what companies are collecting about you. The law requires for-profit businesses to describe in their privacy policies the categories of data they collect about users. In addition, many companies are likely to extend some of these rights to everyone. Companies like Microsoft and Mozilla have said they’re not limiting the new rights to users in California.
Adapting to the CCPA will be difficult for some businesses, however, they need to prepare for consumers seeking to exercise these new data rights. Many companies may have to restructure the way they handle users’ information and come up with the funding to implement new systems and processes that help comply with the new requirements in the CCPA. For business owners, it may be smart to consider aligning yourself with the data privacy movement. With that being said, 2020 is shaping up to be a very interesting year as American tech giants face a new landscape of data protection. Consumers should see businesses come up with one or more ways to submit data retrieval requests, such as a toll-free number. If you want to learn more about the CCPA and take a look at all the amendments, you can do so here.