A California Consumer Privacy Act Overview

What Your Company Should Know to Comply

Cyber threats and attacks have been evolving and increasing every year. Regulations to protect consumer data have largely failed to keep pace. The most significant – the European Union’s General Data Protection Regulation (GDPR) – went into effect in May 2018 and has become the model for data protection law.

So far, the U.S. has not passed similar rules at the federal level. However, states are beginning to take matters into their own hands. In July 2019, New York updated its data protection regulations when it passed the New York SHIELD Security Act (Stop Hacks and Improve Electronic Data Security).  

California passed the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. According to an American Bar Association post, it sets the standard higher than ever before for U.S. companies regarding data privacy regulation.

What is the CCPA?

The CCPA gives consumers the power to compel companies to disclose and/or delete all personal information they have collected about an individual. At the same time, the law expands the definition of what is considered personal information. Beyond basic contact information, it now includes: purchase history, purchase consideration, biometric, geo-location, employment and education information. It also includes browsing history and other online activity that can be tracked, as well as audio, electronic, visual, thermal, olfactory and similar information.

Under the new law, consumers who request that personal data be deleted, not disclosed, or sold to third parties cannot be refused service or charged a higher price for compliance.

Companies must provide a privacy policy that is compliant with the CCPA and update it annually. The policy must be posted on the company website and contain a link to the opt-out page.

What Should the CCPA Privacy Policy Include?

The privacy policy must include:

  • A description of the new rights extended to California residents
  • How to submit a request for collected personal information to be disclosed and/or erased
  • A link to the “Do Not Sell My Personal Information” opt-out page
  • A list of all the types of personal information collected in the past 12 months from all online and off-line sources
  • A list of all of those sources
  • The way in which each type of collected information is used and for what purposes
  • A list of the types of information sold to third parties in the past 12 months
  • A list of all types of personal information disclosed for a business purpose, such as to audit ad impressions and to detect and protect against security incidents

Which Businesses Must Comply with the CCPA?

All for-profit legal entities that do business in the state of California must comply with the CCPA. But you don’t have to be physically located in the state to be affected by the law. If you’re an out-of-state company that sells to California residents or even displays a website in the state, you’re subject to its regulations if you:

  • Have more than $25 million in gross revenues
  • Have collected data on more than 50,000 consumers
  • Earn more than half of your revenue from selling consumer data to third parties

According to Business Insider, California now has the fifth-largest economy in the world – just ahead of the UK. As such, it’s unlikely that many companies will want to or be able to afford to give up selling products and services there.

In fact, many companies are planning to make their CCPA compliance a nationwide implementation in advance of growing interest in consumer privacy regulation elsewhere. The law could become the de facto answer to the GDPR in the U.S.

What are the Penalties for CCPA Non-compliance?

Penalties for non-compliance can become serious quickly. For intentional violations, the law provides for fines up to $7,500 per record! These are enforced by the California Attorney General. Consumers can sue individually and seek penalties of between $100 and $750 or in class actions if a company fails to protect consumer data through cybersecurity carelessness leading to a breach, or otherwise fails to comply.

Fortunately, the CCPA contains a “cure” provision that gives a company that is sued 30 days to correct the breach or otherwise come into compliance.

What Are the Right Steps to Take Now and Going Forward?

With January 1, 2020 right around the corner, if you haven’t already assessed your need to comply with the California Consumer Privacy Act, get together with your legal counsel immediately to begin the process.

Even if your company is not required to comply, don’t ignore this important legislation. While California and New York have taken the lead on data privacy, it’s reasonable to expect other states will join the trend. Every company that collects consumer data can benefit from strong data protection guidelines.

Today, it’s also very important that companies get support from cybersecurity specialists to be sure that we have cybersecurity policies and procedures in place and that they’re properly implemented.

Given the potential reputational and bottom line costs of data breaches, consumer data protection also protects our enterprises and the financial services industry as a whole.

Interestingly, the CCPA poses a new area of regulatory compliance. Regulated companies are accustomed to complying with complex SEC and FINRA rules as well as the protection of personal data under the traditional definition. This new legislation signals a shift in broadening the protection of consumer data across regulated and non-regulated businesses. Proper compliance will require a multi-disciplined approach including technology, marketing, and legal teams to deliver solutions.