Set to take effect in January 2020, the California Consumer Privacy Act (CCPA) can be considered “the beginning of America’s GDPR,” according to PWC.

The US market isn’t far removed from Europe’s General Data Protection Regulation strife. The EU put its strict privacy law into place in Spring 2018–and the compliance pain went global.

CCPA sets the tone for a new wave of privacy laws expected to take hold in the US. It creates a new challenge for businesses that will need a framework to deal with these new laws. Now that California has started the ball rolling, other states already have drafted legislation on the table. In fact, the Washington State Senate has already overwhelmingly passed a similar law.

So, what do you need to know about CCPA, and how can you prepare your business?

Is Your Company is Subject to CCPA Regulations?

You only need to answer “Yes” to ONE of the following three questions in order to be subject to CCPA regulations:

1. Does your company have annual gross revenues in excess of $25 million, adjusted for inflation?
2. Does your company derive 50% or more of its annual revenues from selling the personal information of California residents?
3. Does your company buy, receive, sell or share the personal information of 50,000 or more consumers or households, annually?

Essentially, if you have a for-profit company with any customers who live in California, (even if you do not have a physical presence in that state), TAG–you’re it.

CCPA vs. Other Privacy Laws

The biggest difference between CCPA versus other privacy laws, like GDPR, is that its protections extend to entire households. CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This addition adds a revolutionary new dimension to the concept of privacy: Beyond just personal privacy, companies must now also consider the collective privacy of everyone in a residence.

The Impact on New Business Processes

If your business is subject to CCPA, or if you simply want to be ready for other privacy laws that will inevitably follow, you’ll need to factor several general requirements into your business processes. Compliance rules for CCPA have not yet been finalized, but there are some preliminary guidelines to follow:

• You must ensure that you can readily provide users with access to all of the information you have collected about them, regardless of where that information is stored.
• Consumers are entitled to detailed insights into the types of information your company collects and everything you do with that information.
• You must provide users with an easy-to-navigate way to opt out of having their information shared or sold.
• Your users must be able to easily delete their data from your system.
• You’ll need to fulfill these user requests in a prompt manner, in order to avoid penalties.
• This includes maintaining an inventory and map of all personal data that you store, and monitoring all instances in which you share or sell that data.
• You will also need to update your service-level agreement with third-party data processors.
• Finally, you should check for any newly opened security gaps or system vulnerabilities that result from the changes you’ve made in information storage.

User Information Covered Under CCPA

CCPA includes all of the “assumed” sensitive consumer information (social security and driver’s license numbers, birthdate, financial information), but its coverage extends far beyond the basics.

It also includes your users’ geolocation information, as well as online behavioral profiles, such as internet browsing and purchasing history. It even encompasses inferences that your analytics may draw from online behavior, including personal interests, abilities, psychometric profile, and much more.

Even More Transparency

Under CCPA regulations, your site must post a prominent link entitled “Do Not Sell My Personal Information,” and your posted privacy policy must include all categories of personal information you collect. The law further prohibits companies from discriminating between customers on the basis of whether they exercise these CCPA privacy rights.

The Penalties

The California Attorney General will be able to impose damages of $2500 to $7500, per user, affected in each violation, depending on whether that violation was intentional or not.

CCPA also makes it easier for consumers to sue companies for data breaches, because the consumer does not have to prove damages. Anyone familiar with GDPR or who has been through a CFPB (Consumer Financial Protection Bureau) audit knows how consuming and costly regulatory impacts can be.

How to Keep Your Business Safe? Play Good Defense.

When Europe’s GDPR was enacted, many companies suffered financially because they underestimated the complexity of getting compliant. CCPA-readiness is going to require substantial work. Planning and implementing vital protection measures that meet strict compliance standards is often done best by experts who can conduct an impartial audit of your business.

An ideal partner will:

• Determine the extent of CCPA’s impact to your business and data portfolio.
• Audit your digital products and build a strategy to reach compliance.
• Remediate issues with engineering, operations, and design.

Getting an early start on identifying the information-handling processes you’ll need to implement is critical to being ready for CCPA.

Stay up-to-date on the status of the CCPA as it takes shape!

Subscribe to the California Attorney General’s CCPA notification email list.

‍