Your business may be compliant with the General Data Protection Regulation (GDPR), but that does not guarantee compliance with the next wave of data privacy: the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020.
What Is the CCPA?
The first-of-its-kind data privacy law in the United States, the CCPA is incredibly complex and greatly favors consumers. It applies very broadly and may impact businesses that have the personal information of consumers residing in California, including employees, regardless of where the business is located.
Does the CCPA Apply to My Business?
If you answer YES to any of these questions, you must start preparing for CCPA compliance now:
- Does my business have gross annual revenues of at least $25 million?
- Does my business—alone or with partnering companies—receive, buy, sell, or transfer the personal information of 50,000 or more consumers, households, or devices?
- Does my business make 50% or more of its annual revenue from selling personal information?
What Are Consumers’ Rights Under the CCPA?
The goal of the CCPA is increased clarity for consumers regarding how companies use their data. California created the following series of consumer rights that companies must satisfy: the right to access their personal data, the right to have their data deleted, the right to opt out of the sale of their information, and the right to not be discriminated against for exercising their rights under the CCPA.
How Do I Prepare for Compliance?
Lay out the consumer’s rights under the CCPA, include an opt-out link, and list the methods by which consumers can exercise their rights.
Make opt-out link conspicuous
Include at least two request options
At a minimum, and excluding the opt-out link, list a toll-free (800) number and provide a webpage for consumers to submit requests to exercise their CCPA rights.
Answer requests within 45 days
A business’ receipt of the request starts a 45-day clock to provide a substantive response, which may be extended once if certain circumstances exist.
Provide information free of charge
Any information requested must be provided to the consumer free of charge and in a portable and user-friendly format.
Update existing agreements
Update your agreements with existing vendors, business partners, and contractors to make sure that if a consumer exercises one or more of these rights, all downstream companies you work with and that have the consumer’s data are bound to make the same changes within their systems.
Utilize data mapping
While not required, robust compliance programs that utilize data mapping will decrease the cost of, and hours spent on, responding to consumer requests.
What Happens if My Business Is Noncompliant?
Don’t let the big numbers of the GDPR make you think the CCPA is a law that can be ignored, because it can be just as severe as the GDPR in terms of financial impact. For example, in a class action of 26,000 people suing a company under the CCPA for a single breach where each receives the maximum statutory damage, the company would owe roughly $20 million in damages. Given the litigious nature of US culture and the population of California, hefty damages are all the more possible.
With all the novelty contained in the provisions of the CCPA, there are many parts of it that are unclear and lack specificity, which will make compliance more challenging until the California Attorney General’s office issues its guidance later this year. One thing we know for certain today is that being GDPR compliant will not guarantee CCPA compliance.