Go Back

California Privacy Act and Implications for Business, States, and Interstate Businesses

On May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. Although the GDPR was passed by the EU to protect the data privacy of its citizens, the ramifications of this act had far-reaching consequences for organizations across the globe, including the United States.

At its core, the GDPR held any organization that processed the data of EU citizens, whether the enterprise resided in the EU or not, accountable for protecting EU customer data. Soon after the GDPR became enforceable, California passed its own Consumer Privacy Act of 2018. Similar in concept to its European counterpart, this piece of state legislation imposed regulatory requirements on organizations that manage consumer information. The new Act has wide-ranging implications for enterprises throughout America – and the deadline for compliance is coming up fast: January 1st, 2020, in fact.

What Is the California Consumer Privacy Act?

The California Consumer Privacy Act of 2018 (CCPA) imposes particular requirements that transform the way organizations have traditionally stored, processed, and even sold personal consumer data. Seen by many as the state’s response to the excesses revealed by the scandal that involved Facebook and Cambridge Analytica amongst others, the CCPA’s primary goal is to ensure the protection of individual privacy. It also provides consumers with the power to access their information and enables them to opt out of having their data shared with any third-parties. In addition to these rights, the CCPA also gives people the right to be forgotten and allows organizations to compensate them if they agree to the sale of their data.

Like the GDPR, the provisions of the CCPA have far-reaching consequences for all organizations as it does not only police companies registered in the state of California. Any enterprise that stores or processes information of any California resident and exceeds any one of the three thresholds needs to comply with its regulations. The CCPA is relevant to any organization that has annual gross revenue above $25 million. It also targets enterprises that derive 50% or more of their annual income from selling personal information. In addition, any business that buys or receives the personal information of more than 50,000 consumers, households, or devices annually also needs to comply with the CCPA.

What Do Organizations Need to Do to Comply?

If an organization meets the criteria that make its operations fall under the auspices of the CCPA, then they must inform consumers what type of personal information they will be collecting, storing, or processing. They also need to declare the purpose of the data collection and have the appropriate mechanisms to respond to individual consumer requests regarding their personal information. Similar in concept to the GDPR, consumers can request a full record of all their collected data. Additionally, the CCPA requires organizations to disclose the type of personal information collected, the reason for collecting and selling this information, and the types of enterprises that will have access to this data and with whom it will be shared. It also has a special provision for the protection of children. Under the CCPA parents are required to give their explicit consent regarding the sale of data related to children younger than thirteen.

In addition to tracking private data, organizations that need to comply with the CCPA must also proactively disclose when personal data is sold or exchanged for other commercial services. It also states that enterprises must give consumers the ability to opt out of sharing their personal information with third-parties. Organizations must also honor this choice for no less than twelve months before asking them to change their preference. As with the GDPR, businesses that fail to comply with the stipulated provisions of the CCPA face financial penalties. The fines range from $2,500 per violation, which can increase to $7,500 if the non-compliance is deemed to be intentional. With the effective date of January 1st, 2020 rapidly approaching, organizations that exceed the thresholds stated by the CCPA need to ensure they have the relevant systems and processes in place.

What Are the Business Implications of the CCPA?

The CCPA has far-reaching implications for U.S. businesses that store, process, and trade in the personal consumer information of California residents. Like its European counterpart, it requires organizations to make a monumental shift in how they deal with any consumer data for residents in the state of California. If we look at the provisions of the act, any organization that processes the personal information of California residents and exceeds any of the stated thresholds needs to comply with the CCPA. They need to implement systems and processes that inform customers on how their private information will be used. They also need to have the appropriate mechanisms in place to handle any public access requests as well as meet the specific requirements that deal with data collected from minors. In addition to these obligations, businesses must also ensure they have suitable measures in place to protect the data they store and process. Finally, they must give consumers the ability to opt in or opt out as needed and keep track of these choices.

Online Citizens Demand Privacy and Transparency

As the world embraces digital technology, and we use more online services to manage every aspect of our lives, privacy has become a central theme for online consumers. With data breaches making the news headlines daily, both government and its constituents are demanding that organizations take the appropriate measures to keep personal information secure. They also require enterprises to show more transparency in how their data is stored, processed, and shared with third-parties.

Regulations like the GDPR and the CCPA are forcing organizations that deal with personal data to transform and implement systems and processes to manage private information. Due to the rising value of data in today’s information age, legislation that polices the online industry is only going to increase. That the European Union and California are already regulating how organizations use and secure information clearly shows this regulatory intervention is a growing trend. It will be interesting to see how other U.S. states, the Federal Government, and even other leading global economies react to the demand for privacy and transparency. The fact that the CCPA was drafted and passed within three months  — as opposed to the GDPR which took four years — indicates that more acts will be introduced in a shorter time frame.

Receive updates straight to your inbox