July 1 will mark a new era for data privacy, with enforcement of the California Consumer Privacy Act (CCPA) scheduled to begin.
The CCPA has arrived with little of the fanfare that greeted the EUs General Data Protection Regulation (GDPR) in 2018. GDPR was headline news for months, and European companies of all shapes and sizes took notice in the rush to become compliant.
Of course, the CCPAs relatively low profile in Europe makes sense, with businesses so focused on their responses to COVID-19.
[Read: How to choose the right mentor for your startup]
And, after all, it is a piece of state-level legislation, not even prescribed at the federal level.
Your natural reaction could be: Weve already got the GDPR, so why should we care about another piece of data regulation?
Unfortunately, you do need to pay attention to the CCPA. And Im here to explain why.
Who is affected by CCPA?
Dont be fooled by the name: The reach of the CCPA extends far beyond Californian state lines. Lets get the nitty gritty out the way and define who the law really affects.
At a basic level, you need to worry about CCPA if your company:
- Does business in California
- Collects personal information of consumers that are California residents
and satisfies at least one of the following criteria:
- Buys, receives, sells or shares the personal information of at least 50,000 California residents, households or devices
- Has an annual gross revenue of over $25,000,000
- Derives more than 50% of your annual revenue from selling the personal information of Californians
Phew, you might be thinking! Well, I wouldnt stop reading just yet. Unhelpfully, CCPA doesnt clearly define what doing business in California actually means.
However, what is clear is that you dont need to have offices or employees in California to be considered to be doing business there. Simply having users or customers in the state could be considered sufficient.
In this digital-first world, businesses are often international from day one, and it is likely that your business interacts with more Californians than you think.
After all, there are 40 million of them, and the states economy is the fifth largest in the world (bigger than the UKs!).
The concept of selling personal information is perhaps CCPAs biggest grey area.
Importantly, under CCPA selling personal information doesnt necessarily involve making a payment, and could also refer to actions such as disseminating making available and transferring data.
Under the CCPAs broad definitions, even online advertising something which almost every business does can be considered selling if it involves the sharing of cookies to track behaviour online.
Although the CCPAs definitions are somewhat unclear, it would be rash to assume that the law will not impact businesses based in Europe.
CCPA sits on moving plates
You also should not assume that because your business is GDPR-compliant, that it is automatically CCPA-compliant. GDPR and the CCPA have many similarities, but there are also major differences and it is important that your business understands them.
In addition, the CCPA is not without its weaknesses. It was pulled together quickly without consulting key stakeholders, and its short history has been defined by ambiguity.
Plans for the GDPR were in the works years before it finally came into effect and it had been scrutinised at length. By contrast, the CCPA was signed into law in 2018 just months after it was first put forward by a private group of consumer advocates.
The State Legislature scrambled to pass it before it could do so via ballot initiative, which would have made it part of the state constitution, and therefore very difficult to amend or update.
As a result, a number of key details are yet to be finalized by Californian Attorney General Xavier Becerra. This has led to an unusual state of affairs where there is a law that companies need to comply with, and yet they do not know exactly what compliance actually looks like.
With enforcement scheduled to kick off in July, the penalties could be crippling for businesses. The fine for unintentional violations will be $2,500. Crucially, thats per violation. So if you failed to comply for 1,000 Californians, the penalty would be $2.5 million (about 2.3 million or £1.9 million). Clearly, with fines of that level, non-compliance is not a viable option for most businesses.
There has been some pressure on Xavier Becerra to extend the deadline for compliance due to COVID-19.
But at present, the Attorney Generals Office remains committed to the original deadline, even circulating a reminder to residents of their new online rights.
As more and more people do everyday tasks like grocery shopping online, it would seem that Becerra is determined that their data is protected.
Your company needs to get prepared now.
Three steps to prepare your business for CCPA
Data legislation is highly complex by nature and you might be worrying how you can even start to prepare at a time when time and budgets are tighter than ever. Here are three steps any organisation can take right now:
- Understand what data you are collecting
The first step for any business is to make sure you understand what data you are collecting. Most GDPR-compliant businesses will have already conducted a data mapping exercise. Its important to repeat this for the CCPA, though make sure you build on the work youll already have done around GDPR where possible. This exercise can help you understand where you must comply with the CCPA and will determine any actions you need to take.
Even if budgets are tight, it is important that your business prioritizes CCPA compliance because the penalties can quickly become vast. Put in place processes to honour consumer rights and requests, where necessary. Remember, this should include examining all of the vendors and suppliers you work with you could be vulnerable to penalties through them!
Looking forward, it is worth paying attention to Americas broader privacy landscape. Other states are now set to introduce their own privacy laws, and country-wide federal legislation could also be on the way. In addition, the CCPA itself is changing and could be re-worked as soon as November. The original CCPA advocacy group has put forward another proposition: the California Privacy Rights and Enforcement Act or CCPA 2.0.
To conclude whatever you do, dont make assumptions about CCPA.
Dont assume it doesnt apply to you or that the disruption caused by COVID-19 will mean the enforcement deadline is pushed back.
And, most of all, dont assume that because of the groundwork your company did for GDPR youre safe from CCPA penalties.
Published May 5, 2020 — 06:30 UTC