Companies in California are scrambling to comprehend and meet the extensive requirements of the new California Consumer Privacy Act or CCPA. That’s no surprise, as the same happened with Europe’s General Data Protection Regulation or GDPR in the months before it came into force. However, with the effective deadline of January 1st, 2020, just around the corner, time is running out for companies conducting business in California or possessing personal data on Californian residents. Even with a six-month grace period before any government investigations and enforcement actions begin, there is cause for some worry.
Data Regulation a Work in Progress
In the US, data regulation is still a work in progress. Since 2018, several states introduced and passed legislation that mirror some of the protections provided by the GDPR. Others, in particular the California and to a lesser extent Vermont laws, aim to offer a broader protection to consumers and go beyond data breach notification rules. Much like the GDPR, the comprehensive California Consumer Privacy Act gives users a host of new rights when it comes to controlling their data.
As of January 1, 2020, California residents will have the right to:
- Know what personal data is being collected
- Know whether their personal data is sold or disclosed and to whom
- Say “No” to the sale of their personal data
- Access their personal data
- Request a business to delete any personal information
- Not be discriminated against for exercising these rights
Another difference with existing privacy laws in most states, is that the CCPA will apply to all for-profit organizations (or entities that control or are controlled by such businesses) —regardless of their location— that conduct business in California and/or possess information on Californian residents.
Businesses must comply with CCPA requirements if they meets ANY of the following criteria:
- Generate an annual gross revenue in excess of $25 million
- Possess personal data of more than 50,000 consumers, households or devices
- Earn more than half of their business’s annual revenue selling personal data
An estimated 500,000 US companies meet one or more of these requirements and thus will have to comply.
Monumental Shift in US Data Privacy Regulation
The CCPA marks a monumental shift in US data privacy regulation. At the moment, data regulation is still a patchwork of different rules and regulations across different states and sectors. For most consumers, it is impossible to follow what their rights are. On the other hand, many businesses struggle to comply and welcome more regulatory certainty. In September, 51 top CEOs from companies such as Amazon, IBM, Dell, SAP and JP Morgan Chase voiced their concerns in an open letter to Congress urging policy makers to pass comprehensive consumer data privacy laws.
In the upcoming months, no doubt, all eyes will be on California. Not only are many of the top tech companies based in Silicon Valley and Palo Alto, including Apple, Alphabet Inc. and Google. With a GDP of $3 trillion (2018), it is also the crown jewel in the economy of the United States, ahead of countries like India and the UK.
As of January 2020, California will also have the strictest privacy laws of the US, comparable to but also in some ways different from the GDPR. Much like the GDPR, the CCPA qualifies “online identifiers” such as your IP address as personal information, as well as device IDs. A key difference is that the CCPA also considers information that can be linked to “a household” and not necessarily one individual of that household. Surprisingly, it makes a distinction between personal data provided by a consumer (included) and personal data that was purchased or acquired through a third party (mostly excluded), while nonetheless offering an opt-out right for the sale of personal information.
CCPA Compliance Poses Significant Challenges
Unfortunately, most companies seem to lack a clear road map. Privacy technology firm Ethyca recently conducted a study to understand the different ways businesses are approaching privacy and compliance. The report shows that just 12% of the respondents believe they have achieved an adequate state of compliance or compliance readiness, meaning 88% are “not ready”. More than 70% have no engineering solution and rely on man-hours and retrofitted processes. Basic data-mapping is still the greatest concern for early-stage companies. Start-ups are least likely to have formalized data privacy resources and processes.
Just like we’ve seen in the Facebook-Cambridge Analytica data scandal, fines easily add up. Under the CCPA, all violators and non-compliant parties can be penalized with monetary fines if a breach occurs. From $750 per affected user in civil damages, to $2,500 for those lacking intent and $7,500 per violation if intentional.