Data protection in the United States is about to undergo a major change, and everyone needs to be ready.
The California Consumer Privacy Act (CCPA), signed into law June 28, 2018, enters into effect Jan. 1, 2020. It creates several new obligations for many United States-based businesses with regard to the collection, treatment, and sale of personal information.
CCPA’s Scope
CCPA applies to for-profit entities doing business in California that satisfy at least one of the following thresholds:
-
has annual gross revenues in excess of $25 million;
-
annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or
-
derives 50 percent or more of its annual revenues from selling consumers' personal information.
The CCPA text makes clear the regulation is geared toward providing regulators and consumers with greater control over the personal information that enters the stream of commerce. CCPA generally provides restrictions and limitation on the “sale” of personal information, but the regulation defines “sale” broadly enough that it includes many “free-to-download” products and services common in today’s marketplace, as well as the transfer of information to third parties.
What CCPA Means for Your Business
CCPA is an attempt at sweeping and comprehensive data privacy regulation in the United States. Many are under the misapprehension that simply updating a privacy policy is enough to avoid liability under the new law. However, it is important to note CCPA also grants California consumers certain rights, including the right to have businesses provide a comprehensive and individualized report of the information businesses have collected and sold related to the requesting consumer. CCPA also provides specific timeframes for businesses to respond to these requests. Failure to comply with CCPA could result in the following penalties:
-
$2,500 for every unintentional violation;
-
$7,500 for every intentional violation; and
-
Private right of action. Consumers may recover statutory damages for data breaches of their personal information.
Although CCPA shares some similarities with the General Data Protection Regulation (GDPR), the laws impose different obligations and regulate different data. Companies shouldn’t assume CCPA will have an insignificant impact on their business if GDPR compliance has already been assessed. In light of the aforementioned penalties and the limited window for responding to consumer requests, coupled with the impending Jan. 1, 2020 effective date, organizations should begin evaluating their data privacy and general information practices. Specifically, companies in the IT, marketing, and SaaS spaces should consider in advance whether they might be subject to the new law. While it may not be possible to get everything in order by Jan. 1 for companies just getting started, it is advisable to not delay compliance efforts.