The California Consumer Privacy Act, passed in 2018 and wracked with controversy — with tech giants like Facebook, Google, Amazon and others in opposition — went into effect this month, adding to the data usage and storage restrictions imposed by EU’s GDPR regulations that went into effect last spring. The law, the first of its kind in the United States, gives consumers greater control than ever over the storage and use of their personal information.
While, as consumers ourselves, we are fully on board with giving people stronger ownership over their information, we’re also a business working with businesses, and we understand the importance of consumer data for personalized marketing and growth — and the anxiety these regulations may cause. So we wanted to take a moment to share a primer on the CCPA, which you can read in full here. What does it do, who does it affect, and what does it mean to be compliant?
(Note that this post is meant as an introduction. It should not be construed as legal advice, but we do hope it can help point you in the right direction.)
What Does the CCPA Do?
In short, these regulations give consumers better control over who has access to their personal information. This includes five broad functions of the legislation:
- Gives consumers the right to know what personal information companies are collecting, why they are collecting it, and who they’re sharing it with.
- Gives consumers the right to tell companies to delete their information and to not sell or share it without risking reduced quality of service. (Though it does give companies the right to incentivize customers who provide personal information.)
- Makes it more difficult to share or sell data on children under 16.
- Makes it easier for consumers to sue companies (individually or in class-action suits) if the guidelines are violated—whether or not there’s a privacy breach.
- Gives state’s attorney general more authority to fine companies that don’t adhere.
What Constitutes Personal Information?
Personal information used to consist solely of information that could directly identify an individual or household (think names, addresses, social security numbers, credit card numbers, etc.). However, GDPR broadened that definition, and the CCPA broadens it even further, including “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes data points that don’t identify individuals on their own but could if combined with other information. It also includes any inferencesdrawn from personal information to create a profile “reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”
Which Businesses Are Affected?
All companies that serve California residents (regardless of where the business, itself, is located) are affected if they meet one of the following criteria:
- They have at least $25 million in annual revenue.
- They have personal data on at least 50,000 people or collect more than half their revenues from the sale of personal data, regardless of size.
It’s important to note that the regulations define “selling” broadly, as well:
“’Sell,’ ‘selling,’ ‘sale,’ or ‘sold,’ means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
So, what are the damages for a business that’s not in compliance? Fines amount to $7,500 per intentional violation, $2,500 for unintentional violation, and $750 per affected user in civil damages.
My Business Is Affected. What Do I Need to Do to Be Compliant?
First and foremost, you’ll want to work with your attorneys and consultants to ensure all your systems and processes are compliant. But to get you started, here are three key steps:
- Ensure users have the means to request access to their personal information online and via a toll-free phone line.
- Ensure your business is ready to comply with requests to both access and delete data within 45 days. Given that customer information may be stored piecemeal in a variety of systems, it’s a good idea to create a detailed, centralized inventory of California customers’ personal information.
- If applicable, warn customers that your business is selling personal information, providing a clear link on your website to allow users to opt out if they want.