The strongest set of data protection rules to date – GDPR – came into effect across the European Union on May 25, 2018. The intent was to modernize laws protecting the private information of individuals. But what the General Data Protection Regulation (GDPR) really did was pave the way for the implementation of similar regulations in other parts of the world.
California Consumer Protection Act (CCPA) – Going Beyond GDPR
In 2018, Vermont enacted the first state law mandating the registration of data brokers. Another U.S. state – Ohio – then made headlines with the first cybersecurity safe harbor law. Within the same timeframe, the breach notification statute in Colorado was amended to include a data deletion/disposal provision, while Massachusetts and other states also enacted breach notification statutes.
Amidst all of these developments, Governor Jerry Brown of California passed the CCPA bill on 28 June, 2018. The bill seeks to improve consumer protection and privacy rights for Golden State residents.
And this makes sense considering that the innovative California ranks first in the U.S. in net tech developments and net tech employment jobs added. California is also the home of Silicon Valley and its inventions, accounting for almost 19 percent of the state’s overall economic growth.
With an enforcement date of January 1, 2020, the CCPA – despite several amendments – will possibly end up being the toughest privacy regulation in the U.S., one-upping the GDPR. Nearly every company that does business in California or handles its citizens’ personal data will feel the impact.
Whom Does the CCPA Protect?
Any household or resident of California who can be reasonably identified, even with a unique identifier, is covered by the California Consumer Protection Act. The CCPA allows California consumers to exercise a new set of rights.
What Does the New Law Mean for Businesses?
The California Consumer Protection Act, although controversial, presents a unique opportunity for organizations to level-up on privacy best practices.
If you are still unaware of the effects of the CCPA on your business, it’s time to get the ball rolling. Otherwise, you might inadvertently attract a hefty fine. So, if you’re currently involved in handling personally identifiable information (PII) of California residents, you need to change how you operate.
Your company must now either adhere to the new standards for consumer data collection outlined by the regulation or prepare for the consequences if you fail to safeguard this data.
Checklist: Determine the Need for CCPA Compliance
According to the CCPA, “businesses” are for-profit entities that gather personal data from consumers – in this case, residents of California – and meet at least one of the following criteria:
- Annual gross revenue exceeding $25 million
- 50 percent or more of annual revenue comes from selling personal data
- Annual sales, acquisitions, mergers, and purchases of personal data from 50,000 or more households, devices, and consumers for commercial purposes
If you determine that your business meets any of these criteria and is processing personal information derived from California consumers, you need to work on CCPA compliance.
Checklist Exemptions: CCPA Business Exceptions
Your business is not covered by CCPA regulations if:
- Medical data is gathered by your company under the California Confidentiality of Medical Information Act (CMIA) or the Health Insurance Portability and Accountability Act (HIPAA), especially data collected as part of a clinical trial and/or entities subject to CMIA or HIPAA.
- Personal data is gathered, analyzed, disclosed, or sold as per the California Financial Privacy Information Act or the Gramm-Leach-Bliley Act.
- Information is gathered, analyzed, disclosed, or sold as per the Driver’s Privacy Protection Act of 1994.
- Sale of personal details takes place to and from a consumer reporting agency for generating a consumer report.
- You receive a summons or subpoena; participate in efforts to comply with local, state, or federal law; or participate in a criminal, regulatory, or civil investigation.
- You are defending/exercising legal claims or cooperation with law enforcement agencies.
Until January 1, 2021
Your business is exempt from CCPA laws until 2021 if personal details are collected from employees, directors, staff, officers, owners, contractors, and job applicants in your company. However, right-to-know notification for employees will be required in some cases.
The bill requires businesses to submit reasonable verification of consumers in response to their CCPA requests. Consumers must use their existing accounts to make consumer requests. Your business, however, cannot ask a consumer to create an account just for the sake of making the request.
Also, personal details of employees, officers, contractors, directors, and owners collected through business-to-business transactions or communications or due diligence will not fall under the purview of the CCPA. Vehicle manufacturers and dealers also have a right to share or retain vehicle details and ownership information for recall or warranty-related repairs.
However, both of these caveats indicate amendments to the CCPA that have already passed state legislature but have yet to be signed into law by California Governor Gavin Newsom.
Once the amendments are signed, they’ll give employers time till 1 Jan 2021 to become compliant with CCPA, and will give the legislature more time to decide whether they want to keep employee records out of the purview of CCPA.
Further Amendments to the CCPA
The California legislature has since passed three other amendments to this bill which require Governor Newsom’s signature by October 13, 2019.
Elimination of Toll-Free Numbers for Online-Only Businesses
At present, your business must have two or more designated contact numbers for consumers to make requests under CCPA law, including an online website address and a toll-free number. This amendment seeks to change the requirement of having a toll-free number if your business operates exclusively online and has a direct relationship with the consumer. In such cases, you only have to provide an email address for consumers through which they can submit requests.
Clarifying “Publicly Available” Information and Personal Information
This amendment will remove confusing jargon from the current CCPA regulations about what constitutes publicly available information as well as remove language concerning the purpose of the data in federal records.
Registration of Data Brokers
This amendment requires the California Attorney General to create a publicly available data broker registry online, a provision which seeks to add transparency for consumers so they can understand how your business utilizes their data and who is accessing it.
We only have a few months left before the CCPA comes into effect, so you should quickly determine whether or not your organization will have to adhere to the new regulations. However, keep in mind that the positive effects of compliance with the CCPA on your business’s marketing programs and efforts to generate consumer trust will be more impactful than the associated penalties.