Data privacy has been a hot topic over the last few years. Consumer expectations are changing, regulatory bodies are taking action, and businesses are beginning to comply. The way that businesses can use customer data has changed significantly and the result is a minefield of new laws and rules that businesses must abide by in order to avoid hefty fines.
The first acronym you have likely already heard is GDPR, or the General Data Protection Regulation. Enacted in the European Union (EU) in 2018, the law protects the data and privacy of EU citizens. Right around the corner is a law and acronym a bit more close-to-home: the California Consumer Privacy Act, or CCPA. CCPA goes into effect January 1, 2020. The purpose of this article and the linked resources is to sift through the noise and ensure you are ready for this change. While we did boil the 40+ pages of regulations down into a few paragraphs, please seek legal advice to ensure total compliance.
What is CCPA?
CCPA is a law intended to protect the data and privacy of California residents. The law dictates the manner in which businesses collect personal information, the way the data is used, and how accessible the data is to the consumers themselves. There are three main categories:
- the right to know (what data does a business have on me),
- the right to delete (please delete said data),
- the right to opt-out (I don’t want the business to use or sell the data anymore).
What does "personal information" really mean?
Is it just my name and email address? My hair color? Blood type? Favorite 80s song? CCPA defines “personal information” broadly to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes not only common identifiers, such as a name, address, and social security number, but other information such as:
- purchasing history or tendencies,
- biometric information,
- internet activity,
- geolocation data,
- employment information,
- education information,
- a device MAC address,
- IP addresses of devices that are connected to your Wi-Fi network.
So if you’re collecting data about someone, whether they have a person’s name or contact info attached to it or not, you need to abide by these rules.
Who does it apply to?
One common misconception about GDPR is that many businesses think that because they don’t operate in Europe, they aren’t held to the same standard. In fact, GDPR applies to EU citizens regardless of where they are in the world. Similarly, CCPA defines a “consumer” as a natural person who is a California resident. While you might be thinking, as a U.S. based business, that you’re much more likely to have a customer from Bakersfield than from Brussels, it’s still wise to abide by both.
In fairness, CCPA does not apply to every business out there. It defines a “business” as a for-profit business or other legal entity that collects and determines the use of consumers’ personal information, and satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of $25M
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ personal information
So if you’re a mom and pop coffee shop, you likely don’t need to worry too much. That said, consumers are beginning to turn away from businesses that are using their data in ways they don’t expect, regardless of whether they’re using it legally or not. Consumers are expecting more personalization, so businesses need to meet this demand while maintaining privacy standards.
The three main consumer rights the regulation provides:
- Right to opt-out: This means a consumer can request that a business not “sell” the consumer’s personal information to third parties.
- Right to know: This means that a consumer can request that a business disclose personal information that it has about the consumer, including specific pieces of personal information, categories, sources, what information has been sold, what type of businesses the information has been sold to, and the purpose for collecting or selling this information.
- Right to delete: This means a consumer can request that a business delete personal information about the consumer that the business has collected from the consumer.
Make sure you understand what "sell" means
It is important to understand that “sell” does not have a normal meaning in California. The terms “sell,” “selling,” “sale” and “sold” mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating” a consumer’s personal information to another business or a third party “for monetary or other valuable consideration.”
The reference to “valuable consideration” has the potential to be interpreted very broadly as meaning essentially any benefit. As a result, most communication of personal information with third parties could be considered to involve the sale of the information unless it fits within one of two exceptions: (a) where the consumer directs the business to disclose the information or uses the business to intentionally interact with a third party; or (b) the business uses or shares personal information with a service provider and the service provider does not further collect, sell, or use the personal information except as necessary to perform the business purpose of the sharing entity.
How do I comply?
- Ensure the “Do Not Sell” link informs consumers of their right to direct a business that sells their personal information to stop selling their personal information, and to refrain from doing so in the future.
- Place a Notice of Financial Incentive within the Notice at Point of Collection. The purpose of this is to explain to the consumer each financial incentive (which can be a price or service difference) a business may offer in exchange for the retention or sale of a consumer’s personal information so that the consumer may make an informed decision on whether or not to participate. This essentially means that if you are collecting data in exchange for a free appetizer, upgraded service, a loyalty program savings, or anything like that, you must explicitly tell the consumer about this exchange.
- Develop methods for consumers to submit requests. A business must provide two or more designated methods for submitting requests, including a toll-free phone number and an interactive web form, which reflect the manner in which your business primarily interacts with the consumer. For example, if you are primarily an in-person retailer, you must have an in-person submission option.
- Develop methods to respond to consumers requests. When a consumer submits a request, you must confirm receipt within 10 days. For requests to opt-out, you have 15 days to opt-out the consumer and 90 days to notify all third parties. You have 45 days to answer the request to know or delete, beginning from the time you received it. There are a ton of additional details about how to respond and how not to respond, which can be found in the proposed verbiage.
- Keep records of all requests for at least 24 months.
Whew… that was a lot. Again, it is recommended to get legal help to ensure full compliance. But those 7 steps are critical. Furthermore, there were some common requirements across all steps and categories, including:
- Notices should be designed and presented to the consumer in a way that is easy to read and understandable to an average consumer
- Usage of plain, straightforward language and avoidance of technical or legal jargon
- Usage of a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens
- Translated into the languages in which the business ordinarily provides contracts, disclaimers, sale announcements, and other information to consumers
- Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format
- Be visible or accessible where consumers will see it before any personal information is collected
What happens if you don’t abide by these rules?
Being CCPA compliant may seem like a lot of hoops to jump through. The California legislature is trying to ensure that all businesses do indeed jump through these hoops, so they’ve established fines associated with the lack of compliance, which can add up quickly.
At an initial glance, the $2500 fine per violation might seem pretty small to most businesses. But, when you consider that this fine is PER violation, and intentional misuse of data can increase the fine up to $7500 per violation, it becomes a bit more threatening. For example, let’s say your business knowingly sells the data of 1000 customers without their consent. This equates to a $7.5M fine. Let’s say it was unintentional; that fine drops to $2.5M, which is still nothing to scoff at, and that was only for 1000 customers. Further, lack of compliance opens the door to California residents assembling lawsuits for the breach of their “non-encrypted or non-redacted personal information”. As we’ve seen with data breach cases at Experian, Marriott, Yahoo, and Target, these can be very costly.
What can I do to stay on the right side of the law?
Complying with CCPA will take time, money, and resources to create a water-tight system, but the opportunity to reduce risk and create consumer trust is too significant to pass by.
A summary of CCPA with basic facts
A side-by-side comparison of GDPR and CCPA
The regulations themselves
Additional information about CCPA
Additional information about penalties for violating CCPA
*This article is intended to be used for general information purposes only and should not be taken as legal advice. The content in this article is general in nature and may not be suitable for your specific business circumstances. Please seek your own professional legal advice before making any decisions relating to data protection.