If you have accounts or prospects in California, you’ll need to be CCPA-compliant by January 2020.
The California Consumer Privacy Act (CCPA) — which was signed into law in June 2018 — will take effect in only a few short months and send shockwaves across industries and businesses that handle personal information of California-based consumers. It’s not a toothless regulation to take lightly, nor will it be the last. The CCPA is the first of the privacy protection tidal wave in the U.S. that is expected to cover the entire country from coast to coast.
Remember GDPR and how disruptive it was? The CCPA may seem like a copy of GDPR, but it’s not. Even companies unaffected by or already compliant with GDPR will most likely need to make additional changes. Because non-compliance will be severely penalized, businesses must get their bearings and assess whether the CCPA covers any of their operations.
Make no mistake: you can still be liable to CCPA violations even if your business does not have an office in California. Moreover, the new law will protect California residents wherever they are traveling or temporarily living, so you can still be liable for infringements that occur outside the Golden State.
Read on for more information on the CCPA, plus some tips for ensuring that your company won’t run into any trouble when the law takes effect.
Legal Disclaimer: We applied our best understanding of the California Consumer Privacy Act when building this article. However, we are not legal professionals. To minimize risks, kindly refer to the actual text of the CCPA and seek the advice of your corporate lawyer.
Enacted by the California State Legislature, the CCPA is a law that establishes, protects, and enforces the rights of California residents to their personal information being collected or held by businesses.
Basically, the California Consumer Privacy Act holds businesses to higher standards of transparency and regulates what they can and cannot do with personal information, especially when it comes to user privacy, purpose for holding data, and data sharing.
The official CCPA website states that the new law will give California residents new consumer privacy rights, including:
Corporate disregard of these rights can lead to severe penalties. To enforce these rights, the CCPA also establishes:
At the moment, the legislation primarily affects larger businesses and other for-profit organizations. You are affected any of the following conditions applies:
Every business that handles consumer data needs a full legal understanding of the CCPA to manage risks, avoid getting penalized, and retain customer trust.
Under the law, covered businesses are required to:
This is where it hurts. In its current form, the CCPA provides a 30-day window for non-compliant companies to set things right. However, if the issue remains unfixed after 30 days of being informed by the State Attorney General, each violation can lead to a maximum fine of US$7,500.
More importantly, consumers can take individual or class-wide action themselves against non-compliant businesses. Statutory damages for such civil suits are US$100-750 per incident. This can add up quickly for companies with thousands of California-based customers.
Making matters worse for businesses, there’s a pending bill that seeks to expand CCPA, one of whose provisions is to eliminate the 30-day window.
As defined by the law, “personal information” refers to any information about or related to a particular consumer or household. This includes — but is not limited to — names, aliases, contact numbers, email addresses, social security data, financial information, biometric data, browsing activity, educational/professional information, and inferred profiles from this data.
The CCPA is an administrative hassle, no doubt, but it is also a golden opportunity to improve data governance, implement security best practices, and build trust with customers.
Here’s what you can do:
There’s only one way to turn a looming industry challenge into a competitive advantage. This is only one of the first waves of a changing, more regulated data privacy and security climate. It will pay off to be informed and compliant with all new regulations.
Being mindful and transparent about your customers’ personal data can drive loyalty. Embracing a privacy-by-design culture ensures your products will thrive in the new environment. Adopting solutions that already comply with the most stringent data standards reduces the likelihood that you’ll face lawsuits and headaches in the future.