The California Consumer Privacy Act will be one of the first data privacy laws to take effect in the US since the GDPR was instated in Europe. While multiple states have proposals for data privacy up for review, the California Consumer Privacy Act has gotten the most attention and will go into effect on January 1, 2020. This state law builds upon current privacy regulations to address consumer privacy and will give California residents more power in knowing what kind of personal information companies possess, as well as who they have “sold” their data to.
In this blog post, we will explore the basics of the CCPA.
How will the CCPA enhance personal data protection?
At its core, the CCPA is designed to give California residents more power over their personal information. Most notably, if a company collects and stores personal information, the CCPA requires that their privacy policy provides transparency on how, why, and what kind of information is collected. In addition, information should be available on how users can exercise their rights to request access, change, or delete the personal data that has been collected. Personal information includes, but is not limited to, personal identifiers such as name, home address, and social security number. However, personal data under the CCPA is broadened to also protect IP addresses, location data, and biometric data, just to name a few.
The CCPA only applies to companies that:
- Do business in California, meaning actively engaging in any transaction for the purpose of financial or pecuniary gain or profit – without the need to have a company seat or establishment in CA.
- Collect personal data on California residents and decide on the use of the data
and
- Have a gross annual income greater than $25 million, or
- Buy or sell data on more than 50,000 individuals, or
- Derive 50% or more of annual revenues from selling customer data.
This means that if your company collects and stores data from Californians, it is worth exploring whether your business will be affected.
Children’s privacy will also be enhanced: personal information of minors under the age of 16 can only be disclosed and sold on an opt-in consent basis. For minors under 13 years old, the parent or legal guardian needs to give consent.
How can companies ensure that they are compliant with the new law?
In order to ensure compliance with the new law, there are a few requirements that companies must meet. These include:
- Providing transparent information, namely informing consumers about the categories of data collected, as well as the purpose, and whether the data is shared with a third party.
- Ensure non-discrimination for consumers who have exercised their rights to access, delete, or opt-out of data collection.
Update your company’s Online Privacy Notice to include specific content on data handling.
- Provide at least two ways for consumers to make requests regarding their data. This includes a toll-free hotline if there is no direct business relationship between the business and the end-user.
- Train personnel who work on the enquiries of the California consumers when enforcing the rights under CCPA.
- Provide an easily accessible opt-out button for every California resident and an opt-in option for minors.
It is important to note that all companies who collect data on California residents will need to comply with this regulation, even if they are not located in California. Furthermore, just because a business is compliant with the GDPR does not mean that they will automatically satisfy the CCPA, so it is important to address the CCPA as a separate topic.
What are consumer rights under the new regulation?
As part of the regulation, consumers will have rights to the following:
- To be informed of the categories of personal information that a business collects or otherwise receives, sells, or discloses about them; the purposes for these activities; and the categories of parties to which their personal information is disclosed.
- To request more detailed information about the personal information a business holds specifically about them.
- To obtain portable copies of their personal information from the business.
- To request that a business delete their personal information under certain restrictions, and
- To prohibit a business from “selling” their data (opt-out) without any discrimination.
Under the new regulation, the “sale” of consumer data includes selling, renting, disclosing, disseminating, transferring, or otherwise communicating consumers’ personal information either orally, in writing, or by electronic means to another business or third party for monetary gain or other valuable consideration. The term “valuable consideration” does not have a set guideline, leaving it broad and open for interpretation, but this may become more defined once the regulation is in place.
In addition, consumers are also allowed to request information from companies regarding what personal data they have collected — as well as who it has been sold to — twice a year, free of charge.
What if a company fails to follow the CCPA’s requirements?
While the regulation goes into effect on January 1, 2020, companies will have until June 2020 before being subject to a fine. If a company does not comply with the CCPA regulations, they may be fined $2,500 per violation (or up to $7,500 if the violation was intentional). While this may sound nominal, complaints are measured on an individual basis, meaning that some companies may receive thousands of complaints.
What’s ahead?
The CCPA will take effect in California on January 1, 2020. While the regulation only applies to California residents, if your company collects and stores data on California users it is important that you are ready to address the CCPA, regardless of whether your company is located in California.
Currently, this regulation only protects California residents, but more than a dozen states, including Nevada, Pennsylvania, and New York have data privacy regulations planned, with more states expected to follow. Naturally, every state having their own regulation increases the complexity for companies conducting business in those states. Therefore, there is some speculation that data privacy may become a topic on the federal level to simplify the compliance process.
Until then, everyone in the Advertising industry should make themselves familiar with what is coming with the CCPA and have a look what the IAB prepared: https://www.iab.com/ccpa/
Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of the CCPA.