How the California Consumer Privacy Act (CCPA) will impact your business: definition, guidelines, and obligations

If you have accounts or prospects in California, you’ll need to be CCPA-compliant by January 2020.

The California Consumer Privacy Act (CCPA) — which was signed into law in June 2018 — will take effect in only a few short months and send shockwaves across industries and businesses that handle personal information of California-based consumers. It’s not a toothless regulation to take lightly, nor will it be the last. The CCPA is the first of the privacy protection tidal wave in the U.S. that is expected to cover the entire country from coast to coast.

Remember GDPR and how disruptive it was? The CCPA may seem like a copy of GDPR, but it’s not. Even companies unaffected by or already compliant with GDPR will most likely need to make additional changes. Because non-compliance will be severely penalized, businesses must get their bearings and assess whether the CCPA covers any of their operations.

Make no mistake: you can still be liable to CCPA violations even if your business does not have an office in California. Moreover, the new law will protect California residents wherever they are traveling or temporarily living, so you can still be liable for infringements that occur outside the Golden State.

Read on for more information on the CCPA, plus some tips for ensuring that your company won’t run into any trouble when the law takes effect.

Legal Disclaimer: We applied our best understanding of the California Consumer Privacy Act when building this article. However, we are not legal professionals. To minimize risks, kindly refer to the actual text of the CCPA and seek the advice of your corporate lawyer.

What Is the CCPA?

Enacted by the California State Legislature, the CCPA is a law that establishes, protects, and enforces the rights of California residents to their personal information being collected or held by businesses.

Basically, the California Consumer Privacy Act holds businesses to higher standards of transparency and regulates what they can and cannot do with personal information, especially when it comes to user privacy, purpose for holding data, and data sharing.

The official CCPA website states that the new law will give California residents new consumer privacy rights, including:

1. Knowing what personal information is being collected about them.
2. Knowing whether their personal information is being sold or disclosed and to whom.
3. Saying “no” to the sale of personal information.
4. Accessing their personal information.
5. Access to equal service and price, even if they exercise their privacy rights.

Corporate disregard of these rights can lead to severe penalties. To enforce these rights, the CCPA also establishes:

• Mechanisms for resolving non-compliance
• Penalties for violations
• The role of the state (the attorney general) in penalizing violators
• The right of individuals — privately or collectively — to sue non-compliant companies.

Which Businesses Are Affected By the CCPA?

At the moment, the legislation primarily affects larger businesses and other for-profit organizations. You are affected any of the following conditions applies:

1. Your business earns more than US$25 million in gross revenues.
2. Your company holds personal information of more than 50,000 consumers, households, or devices.
3. Your business earns more than half of its annual revenue from the sale of personal information belonging to residents of California.
4. Your company is owned by (or shares branding with) a business entity that matches any of the first three conditions.

What Are My Obligations As a Covered Business?

Every business that handles consumer data needs a full legal understanding of the CCPA to manage risks, avoid getting penalized, and retain customer trust.

Under the law, covered businesses are required to:

1. Provide methods (such as a toll-free number or a web page) for consumer requests for information.
2. Disclose and deliver requested information — properly categorized — free of charge within 45 days.
3. Adhere to guidelines concerning how much data can be collected and for how long.
4. Inform California consumers — through readily accessible means such as a webpage — about their rights, how the company collects their information, and its purposes for doing so.
5. Provide accessible means by which consumers can instruct the company not to share or sell their data.
6. Comply with consumer requests to stop sharing their personal information with third parties.
7. Delete personal data (subject to certain restrictions) upon request.
8. Ensure that any data sharing with third-parties meet all new restrictions.
9. Provide the same level, pricing, and quality of service to consumers who opt to exercise their privacy rights.

What Happens If I Fail To Comply?

This is where it hurts. In its current form, the CCPA provides a 30-day window for non-compliant companies to set things right. However, if the issue remains unfixed after 30 days of being informed by the State Attorney General, each violation can lead to a maximum fine of US$7,500.

More importantly, consumers can take individual or class-wide action themselves against non-compliant businesses. Statutory damages for such civil suits are US$100-750 per incident. This can add up quickly for companies with thousands of California-based customers.

Making matters worse for businesses, there’s a pending bill that seeks to expand CCPA, one of whose provisions is to eliminate the 30-day window.

What Does “Personal Information” Mean?

As defined by the law, “personal information” refers to any information about or related to a particular consumer or household. This includes — but is not limited to — names, aliases, contact numbers, email addresses, social security data, financial information, biometric data, browsing activity, educational/professional information, and inferred profiles from this data.

Turning the CCPA Into a Net Positive For Your Company

The CCPA is an administrative hassle, no doubt, but it is also a golden opportunity to improve data governance, implement security best practices, and build trust with customers.

Here’s what you can do:

1. Verify if the CCPA applies to your company. Better yet, assume that you are covered in order to future-proof business expansion.
2. Consult with consumer data privacy experts, especially those who have helped orchestrate corporate compliance for GDPR. If your company already complies with the European regulation, then you’re in a good position to achieve full CCPA compliance in time.
3. Hire an experienced executive to own global regulatory compliance and formulate a comprehensive data strategy. This could be a data protection officer or a privacy specialist.
4. Perform an audit of your processes that involve the collection, storage, and sharing of personal data.
5. Update your data security and protection system to acceptable standards.
6. Work only with third parties who are also GDPR/CCPA compliant. Consider solutions that assess, synchronize, and accelerate third party regulatory compliance. Adopt products and services that have relevant certifications from standards-setting agencies such as the ISO.
7. Adequately inform customers about how you intend to use their personal data, especially when asking them to share personal information via subscription forms, landing pages, and other opt-in mechanisms.
8. Ensure that your private policy statements comply with transparency guidelines and that there are easily accessible means for your customers to a) request for information about their personal data; and b) inform you that they wish to exercise their right to privacy. Obviously, you should always respect and quickly respond to their requests.

There’s only one way to turn a looming industry challenge into a competitive advantage. This is only one of the first waves of a changing, more regulated data privacy and security climate. It will pay off to be informed and compliant with all new regulations.

Being mindful and transparent about your customers’ personal data can drive loyalty. Embracing a privacy-by-design culture ensures your products will thrive in the new environment. Adopting solutions that already comply with the most stringent data standards reduces the likelihood that you’ll face lawsuits and headaches in the future.