The US market isn’t far removed from Europe’s General Data Protection Regulation strife. The EU put its strict privacy law into place in Spring 2018–and the compliance pain went global.
CCPA sets the tone for a new wave of privacy laws expected to take hold in the US. It creates a new challenge for businesses that will need a framework to deal with these new laws. Now that California has started the ball rolling, other states already have drafted legislation on the table. In fact, the Washington State Senate has already overwhelmingly passed a similar law.
So, what do you need to know about CCPA, and how can you prepare your business?
You only need to answer “Yes” to ONE of the following three questions in order to be subject to CCPA regulations:
Essentially, if you have a for-profit company with any customers who live in California, (even if you do not have a physical presence in that state), TAG–you’re it.
The biggest difference between CCPA versus other privacy laws, like GDPR, is that its protections extend to entire households. CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This addition adds a revolutionary new dimension to the concept of privacy: Beyond just personal privacy, companies must now also consider the collective privacy of everyone in a residence.
If your business is subject to CCPA, or if you simply want to be ready for other privacy laws that will inevitably follow, you’ll need to factor several general requirements into your business processes. Compliance rules for CCPA have not yet been finalized, but there are some preliminary guidelines to follow:
CCPA includes all of the “assumed” sensitive consumer information (social security and driver’s license numbers, birthdate, financial information), but its coverage extends far beyond the basics.
It also includes your users’ geolocation information, as well as online behavioral profiles, such as internet browsing and purchasing history. It even encompasses inferences that your analytics may draw from online behavior, including personal interests, abilities, psychometric profile, and much more.
Under CCPA regulations, your site must post a prominent link entitled “Do Not Sell My Personal Information,” and your posted privacy policy must include all categories of personal information you collect. The law further prohibits companies from discriminating between customers on the basis of whether they exercise these CCPA privacy rights.
The California Attorney General will be able to impose damages of $2500 to $7500, per user, affected in each violation, depending on whether that violation was intentional or not.
CCPA also makes it easier for consumers to sue companies for data breaches, because the consumer does not have to prove damages. Anyone familiar with GDPR or who has been through a CFPB (Consumer Financial Protection Bureau) audit knows how consuming and costly regulatory impacts can be.
When Europe’s GDPR was enacted, many companies suffered financially because they underestimated the complexity of getting compliant. CCPA-readiness is going to require substantial work. Planning and implementing vital protection measures that meet strict compliance standards is often done best by experts who can conduct an impartial audit of your business.
An ideal partner will:
Getting an early start on identifying the information-handling processes you’ll need to implement is critical to being ready for CCPA.
Stay up-to-date on the status of the CCPA as it takes shape!
Subscribe to the California Attorney General’s CCPA notification email list.
Explore More