Just when we finished preparing for GDPR, there’s a new player in the consumer privacy game. Call it the lesser-known “little brother” of GDPR— if the California Consumer Privacy Act (CCPA) isn’t yet on your radar, it needs to be soon.
Much like GDPR, CCPA seeks to protect the privacy of consumers by shielding personal information that relates to, describes, is associated with or can be linked to an individual.
Should you be concerned?
The short answer is yes; privacy legislation—even at the state level—should be taken seriously. Like it or not, data security, consumer privacy and compliance aren’t just the new buzzwords, they’re our modern-day marketing realities.
Let’s take a look at what the proposed CCPA legislation includes and where the potential “gotchas” lie.
CCPA - The Basics
For those of you driven by deadlines, get out your calendar and put a big “X” on January 1, 2020, the date CCPA officially goes into effect. Of course, you’ll also need to block out time in the preceding months to prepare your systems and processes for the changes.
Just who does this bill cover? Currently, CCPA is written to cover only California residents (all 40 million of them) but remember, California, the fifth largest economy in the world, was also the initiator of the first unsolicited commercial email law in the United States, which was later adopted as Federal legislation, or the CAN-SPAM Act. No doubt about it, California has a significant influence on the US. Thus, I anticipate that CCPA will also evolve into Federal regulation.
Translation: CCPA will have a bigger impact than its name currently suggests.
Organizations Impacted by CCPA
If you are a for-profit organization that does business in California and meets just one of the following CCPA thresholds, guess what? You are subject to compliance.
The criteria include:
- Organizations with gross annual revenues of $25 million or more, OR
- Organizations which derive 50% or more of annual income from selling consumer personal information—think beyond the obvious data broker scenario; if you earn half of your revenue from selling products or services which depend on consumer personal information (such as programmatic advertising), then your business could fall into this category, OR
- Organizations that are owned or controlled by a business that does any of the above.
And remember—these are “or” statements— if you meet any of them, then CCPA applies to you. (Not-for-profit organization reading this post? CCPA doesn’t address your business status, but rather than assume you are exempt, I advise you to consult your legal counsel for clarification on the topic.)
Now that we’ve covered the “when” and “who,” let’s move on to the “what” CCPA protects.
Data Covered Under CCPA
CCPA is about the control, protection, and insight of personal data. In other words, the consumer must be aware—at the point of data collection—that information is being collected, informed as to how the data will be used and then given the option to opt-out from sharing or selling that personal data.
CCPA defines “personal information” as:
- Personal identifiers
- IP address
- Email address
- Social security number
- Drivers license number
- Passport number and similar identifiers
Additionally, there are restrictions on collecting data pertaining to class information, personal property, products and services purchased, purchasing history, browsing history, geodata, biometric data, profiling, employment, and education-related data. Basically, if data can be tied back to a person or identifies an individual, it’s considered “personal data” and is protected by CCPA.
Note that personal information does not include publicly-available information from state, federal or local governments, but the caution here is how you intend to use that data and if that purpose is compatible with the other criteria of CCPA.
What’s most ambiguous about this bill (ironically!) are the fines. The penalties for non-compliance are subject to interpretation, both of the law itself and those enforcing it. Let me explain further.
If the California Attorney General’s office deems an organization is out of compliance, they’ll issue a notice and the organization will have 30 days to make corrections. After that, fines are enforceable and can vary greatly, depending if the violation is deemed intentional ($2,500/violation) or unintentional ($7,500/violation). What’s ambiguous is “per violation” and if that refers to “per incident” OR “per record involved”; there are many interpretations and debates on the topic. My advice: watch for updates to the legislation and get your legal team to review the actual language of the bill. (or better yet, don’t be out of compliance!)
Also included in CCPA is mention of civil damages, payable to the consumer. These fees can range from $100-$750/impacted consumer OR actual damages, whichever amount is greater. But wait—there’s more. CCPA also enables consumers to file lawsuits without showing proof of damages. The bottom line: between the financial penalties, time spent dealing with legal proceedings and potential harm to a brand’s reputation, not complying with the requirements of CCPA could be very costly.
In the upcoming weeks, I’ll go deeper into the legislation and the impact on your daily operations. In the meantime, I suggest rallying your legal team for round two of privacy legislation. While we will likely see further refinements to CCPA, the principles of it are here to stay.
This article was originally published on Perkuto’s blog. Read it as it originally appeared and/or subscribe to our blog to receive future posts.