New Privacy Regs for Businesses with Californian Consumers

The California Consumer Privacy Act of 2018 (CCPA) is coming. Even though the law officially took effect January 1, 2020, it won't be enforced until June 2020, at the earliest. How much do businesses invest in being CCPA compliant? What businesses does the CCPA affect? What consumer protection does it provide?

What is the intent of the CCPA?

The CCPA is one of the most stringent privacy laws and the most comprehensive privacy law in the country, with similar directives as the EU General Data Protection Regulation (GDPR) that took effect in Europe in 2018. California’s law provides more transparency for consumers, as follows:

• It requires consumer consent for data to be sold to second and third parties and notice of the value of their data.

• It gives the consumer the right to request that a business delete their personal data.

• It gives consumers the right to know what type of personal information is collected, used, disclosed, and sold. Additionally, it gives consumers the right to know who the information was sold to in the proceeding 12 months of their request.

How quickly must businesses respond to a consumer request?

Requests to delete data

A business must confirm receipt of a request to delete personal data within 10 business days. Requests shall be responded to (acted on) within 45 calendar days (unless the business needs an extension of an additional 45 days). If the business can't verify the consumer within 45 days, the business may deny the request.

Requests to opt out

A business must comply with a request to opt out within 15 business days.

If businesses sells information to third parties, it must notify the third party of the consumer request and the third party must comply with the request.

Note: A business may deny a request to delete personal information if that information is necessary for the business to provide a loyalty program requested by the consumer.

What businesses must comply?

• Has more than $25 million in annual gross revenue

• Shares, sells, buys or receives for commercial purposes the information of at least 50,000 consumers, devices, or households

• Derives at least 50% of its yearly revenues from selling customers’ personal information

Note: There are a number of exceptions, and you should determine if any of them apply to your business and to what extent.

How much should I invest in this?

Penalty levels for non-compliance are based on a company’s worldwide revenue. Companies will want to assess their appetite for risk then it comes to whether they want to spend the money to update their systems for CCPA compliance.

Additionally, more established companies typically haven’t operated with modern day privacy issues in mind, and will likely have non-compliant systems. In this case, you may want to assess whether your databases should be updated (using the power of manual process and an army of rules) or replaced entirely with a modern (and potentially costly) system.

Startups will benefit from their lack of historic data. Regardless of your current size, you have an opportunity to be good stewards at the outset and embrace CCPA-compliant systems, which can also integrate potentially stricter cyber and privacy requirements in the future. And remember, if you maintain data of EU residents, you’ll want to apply the even stricter privacy guidelines of the GDPR to your cyber operations.

If you do it right, CCPA can be a boon for your organization, particularly in today’s age of consumer mistrust.

What data is covered?

The law applies to your data of California consumers, regardless of where your company is located. It doesn’t matter if you do business out of Florida or Finland: If your data list includes residents of California, you must manage that data in compliance with the CCPA or face possible fines and penalties for noncompliance.

Can I anonymize data instead of delete it?

Yes. If you de-identify, aka anonymize, data so that it cannot be linked to the consumer, then you have converted it to non-personal information, which the CCPA does not impose restrictions on. The CCPA relates only to personal information. Therefore, you are not obligated to delete or not share anonymized data for business purposes should a consumer request this of their personal information.

What’s next?

As of fall 2019, about 65 percent of companies hadn't started preparing for the CCPA. But there’s still time: Even though the law started on January 1, it won’t be enforced until June 2020, at the earliest.

Public comments were received at public forums held during 2018 and 2019 as part of the preliminary rule-making process. Additionally, the California Department of Justice (DOJ) received comments via email and post mail through March 8, 2019.

On February 7, 2020, the California DOJ released changes based on comments received during 2018 and 2019. The Department is accepting written comments to the proposed changes until February 24, 2020.