On January 1st, 2020, the California Consumer Privacy Act (CCPA) law went into effect. Do you have to be concerned with CCPA compliance? How is CCPA similar to, and different from, the European General Data Protection Regulation (GDPR)?
Both laws aim to protect the privacy of individuals, and both carry potential penalties and fines for non-compliance. Let’s take a look at CCPA and what it means to small business owners everywhere.
Not so long ago, when you handed personal information over to a company, the company assumed they owned it. The ownership of our personal data wasn’t something that most of us questioned, or gave much thought.
But that perspective is changing. Society is beginning to look at data, not as a company asset, but rather as a consumer right.
It’s crucial that your business adapts to changing perspectives, and keeps up with your customer’s expectations.
Here are some quick links to the topics we’ll cover in this article
- What Is the CCPA?
- Do You Have to Take Steps to Ensure CCPA Compliance?
- What Does CCPA Require Affected Companies to Do?
- Is There a Penalty for Failure to Comply With CCPA?
- CCPA Compliance Checklist
- What Are the Differences Between CCPA and GDPR?
- GDPR Was Not the End of the World, CCPA Won’t Be Either
- Expect to See More Data Privacy Laws in the Future
What Is the CCPA?
The CCPA was enacted to protect the privacy of California consumers. It’s the first part of an effort to create a cohesive data privacy law for the United States. California has the largest state economy in America, and in fact, it is the fifth-largest economy in the world.
Since it’s such a large part of the national economy, often, California laws and legislation are adopted by other states. And in many cases, ultimately, the entire country. So what happens in California can have an impact on national and international laws.
And, of course, due to its size, anything that happens in the California economy has global implications.
A Pew Research Center study says 81% of Americans feel they have little or no control over personal data collection. That includes data collected by both companies and the government. The CCPA addresses that lack of control.
The CCPA went into effect on January 1st, 2020, and became enforceable on July 1st, 2020.
Do You Have to Take Steps to Ensure CCPA Compliance?
Not all businesses are affected by the CCPA. It’s unlikely that most small e-commerce sites or personal sites meet the requirements. But the following types of businesses are subject to CCPA compliance.
- Those that have gross annual revenues greater than $25 million.
- Businesses that buy, receive, or sell the personal information of 50,000 or more California consumers, households, or devices.
- Any business that derives 50% or more of its annual revenue from selling California consumer’s personal information.
As you can see, the CCPA potentially impacts businesses of all sizes, not just large corporations. Maybe you only earn $1,000 a year from your website. If half of that $1,000 comes from selling personal user data, you must comply with CCPA.
Your company doesn’t have to be located in California to be subject to CCPA compliance. If you have customers or users who live in California, you are potentially affected. It’s safe to assume that most English language websites have California users or customers.
An IntoTheMinds marketing agency study shows that there has been an average increase of 86% in the number of complaints since the GDPR was implemented.
That would seem to be a strong indication that people are concerned about the privacy of their personal data. So we should expect to see a similar increase in awareness and complaints where CCPA is concerned.
While your business may not be directly affected by the CCPA, it doesn’t mean you should ignore the regulation. It’s in your best interest to work to reassure your customers that their data is safe with your company.
What Does CCPA Require Affected Companies to Do?
It isn’t possible to detail all of the CCPA requirements in this article. If your business is affected, you should read the details of the CCPA. That page is geared toward informing consumers of their rights, but you can see the areas that may affect your business. (Or, you can read the act itself.)
But specifically, there are CCPA data requirements for businesses. You must:
- Disclose to consumers that you sell or share personal information.
- Add a “Do Not Sell My Personal Information” option to your websites, as well as a toll-free phone number for consumer requests.
- Affirmatively collect consent to sell data from any consumer under 16, or from a parent or guardian for any consumer under 13.
- Treat customers equally on service and price regardless of whether they have exercised their rights under the law.
These are requirements that your business may not have taken for GDPR compliance.
They should know what their responsibilities are when it comes to handling personal information.
Ideally, you want everyone in your organization to know their responsibilities around private information. Not only those who may deal with consumer privacy requests.
CCPA Compliance Checklist
There will, of course, be technical data issues that your IT and development teams will have to tackle. This checklist covers the operations concerns of any business seeking to be CCPA compliant.
- First, evaluate whether you are subject to the law. Not every business will be.
- Consider putting together a team that can specifically address each relevant area: legal, compliance, and technology. Everyone should look at compliance through the lens of their expertise.
- Create a compliance schedule or roadmap. Provide a timeframe so CCPA compliance doesn’t get left behind in the course of day-to-day work.
- Determine whether you should extend CCPA protections to all of your customers. Maintaining multiple privacy policies could lead to staff and customer confusion.
- Document all CCPA-related security changes and practices. In the event of a data breach, you want to be able to demonstrate that the “reasonable security” requirements of CCPA were in place.
- Establish a data request process. CCPA has very specific requirements for the release of personal information. Every public-facing member of your staff should be familiar with data request rules and policies.
- Map your data. You may be aware of the location of all the data you store on corporate servers, but is there data elsewhere? What about other service providers or in cloud storage?
- Review your vendor contracts. If any personal data you’ve collected is passed to vendors, check existing contracts for data use details. Amend any vendor contracts that don’t include CCPA protection.
- Train your employees on the changes. As I mentioned, CCPA is serious about training employees who deal with consumer privacy requests.
Is There a Penalty for Failure to Comply With CCPA?
Failure to comply could result in your business being fined. If you intentionally avoid CCPA compliance, the fines are more severe.
- $2,500 per record for each unintentional violation.
- $7,500 per record for each intentional violation.
That’s quite a difference, and it’s based on intention or choosing to ignore the law.
And while those amounts may seem low, they are “per record,” meaning they are cumulative. So if you intentionally violate the rights of a thousand California consumers, the fine is $7.5 million dollars.
It remains to be seen how rigorous CCPA enforcement will be. But if it’s anything like GDPR, we can expect it to be wide-reaching. The smallest GDPR fine has been €90 (against a hospital in Hungary). So they are definitely enforcing the law on all levels.
The largest GDPR fine so far? Google was fined for €50,000,000 in France.
What Are the Differences Between CCPA and GDPR?
Many of us spent at least some time learning about GDPR and how it affected our companies. So it’s helpful that many aspects of CCPA cover similar ground. You can use your knowledge of GDPR to understand much of CCPA. But there are some differences to be aware of.
One of the biggest differences is in the scope of the laws. The GDPR requires compliance from public institutions and non-profit organizations, as well as companies and businesses. The CCPA is aimed solely at for-profit businesses that have residency in California, or process personal information of Californian residents.
Some other key differences:
- CCPA allows businesses to process consumer data unless the individual exercises his or her right to opt-out from having their data sold. The GDPR requires that EU data controllers identify the lawful basis for processing data before it’s processed in order to be compliant.
- The CCPA specifies that a consumer covered by the law must be a Californian resident. GDPR does not specify residency or citizenship.
- CCPA excludes certain data from its scope that GDPR includes. The excluded data includes medical or clinical trial information, information sold to or from consumer reporting agencies, personal information that falls under the Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999), personal information under the Driver’s Privacy Protection Act (a US federal statute covering personal information gathered by state Departments of Motor Vehicles), and any publicly available personal information.
- The right to be forgotten (called the “Right to deletion”) requires a response time of 45 days under the CCPA. The GDPR response time is 30 days.
Overall, the laws share more points than they differ on.
GDPR Was Not the End of the World, CCPA Won’t Be Either
I say that from a business standpoint, of course. For individuals, the effects of GDPR, and now CCPA, are all beneficial. The laws force companies to be more responsible and responsive when it comes to personal data.
We should all be glad for that.
But in the months before the GDPR went into effect, there was apprehension about it in corporate boardrooms worldwide. Compliance was costly for a large number of companies, and some of the requirements were difficult.
One of the most headline-grabbing protections contained in the GDPR was “the right to be forgotten.” The right allows an individual to request that certain data be deleted so it can’t be traced by a third party.
If that sounds like a difficult right or rule to comply with, it is. An International Association of Privacy Professionals study showed that companies found the most difficult GDPR obligation to fulfill was the right to be forgotten.
But we all adapted to GDPR, and we’ll adapt to CCPA. It just means a bit of work now, but implementing the protections will only make the affected companies stronger. Especially when it comes to safeguarding personal data.
The majority of people familiar with GDPR see it as a positive force. According to a 2019 Cisco Consumer Privacy Survey, only 5% take a negative view of the law. That’s a pretty astounding number.
Expect to See More Data Privacy Laws in the Future
The same Pew Research Center study cited earlier revealed that 63% of Americans understand little or nothing about existing consumer privacy laws. Considering the biggest previous privacy law was for EU residents, maybe that’s not surprising.
But CCPA affects Americans, so it could change that general lack of awareness.
As with most consumer protections, businesses will bear the brunt of the change, while consumers reap the benefits. But that’s not necessarily a bad thing. Yes, as a business owner, the CCPA may cause some short-term headaches and expense. But if you make your CCPA compliance known, you will gain the trust of your customers.
And consumer trust is one of the most valuable commodities we have.