Online sellers that serve California residents should especially take note: companies don't have to be based in California or have a physical presence there to fall under the law. Whether your business is based in California, Connecticut, or Canada, this article provides the most important components of CCPA you should know about and what it could mean for your business.
Personal data and privacy are at the forefront of consumers’ and policy makers’ minds. Like the European Union’s General Data Protection Regulation (GDPR) (enforced since May 2018), CCPA aims to enhance privacy rights and consumer protection, only this time for residents of California. Other states have CCPA-inspired bills in the works, including Massachusetts, New York, New Mexico, and more. So, even if you are not affected by GDPR or CCPA right now, chances are your business will be affected by a consumer data and privacy enforcement sooner or later.
What is the California Consumer Protection Act (CCPA)?
CCPA is a bill intended to enhance privacy rights and consumer protection for residents of California, United States. It was signed into law on June 28, 2018 and took effect on January 1, 2020.
The intentions of the Act are to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about them.
- Not be discriminated against for exercising their privacy rights.
The law describes personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This information can include, but is not limited to:
- Name and address
- Telephone number
- IP and email address
- Account name, customer number, and online identifier
- Browsing and order history
- Social security, driver's license, and passport number
- Banking and credit card info
CCPA does not consider publicly available Information as personal.
Who Must Comply with CCPA?
Any business that conducts business with California residents and meets one of the following three criteria:
- Have revenues in excess of $25 million (USD).
- Buys or sells the personal information of 50,000 or more consumers or households.
- Earns more than half of its annual revenue from selling consumers' personal information.
What are the Main Provisions of CCPA?
CCPA is similar to GDPR, so if you’re already GDPR compliant you’re well on your way to being CCPA compliant.
At a high level, the law requires businesses to:
- Adjust privacy settings for California residents.
- Let buyers know what data is being collected.
- Let users reject the sale of their personal data.
- Provide buyers with the ability to download their data.
- Allow customers to delete or anonymize their info.
The law gives companies 30 days to comply once regulators notify them of a violation. If the issue isn't resolved, there's a fine of up to $2,500 per record for an unintentional violation and $7,500 per record for an intentional violation. Considering the number of records that could be affected in a data breach, fines can add up quickly.
Recently the International Association of Privacy Professionals estimated CCPA’s possible effect on Facebook, whose Cambridge Analytica scandal was one of the motivations for the law. With over 24 million users in California, Facebook could have faced a penalty of approximately $61 billion (USD) for an unintentional violation and up to $184 billion (USD) for an intentional violation.
How Does CCPA Differ from GDPR?
Some are referring to CCPA as America’s GDPR, but there are differences between them. In general, CCPA is less strict than GDPR. For example, GDPR requires companies to obtain opt-in consent from consumers where CCPA only requires that companies give consumers the ability to opt-out.
One provision where CCPA goes further than GDPR is in explicitly requiring businesses not to discriminate based on a consumer that exercises their privacy rights. Meaning, consumers have the right to equal services and prices regardless of whether they exercise their privacy rights or not.
Is Data Privacy Bad for Business?
It’s easy to see why businesses are nervous about regulations like CCPA and GDPR. The tidal wave that is consumer data privacy will challenge businesses and disrupt most current methods of personal data management. However, we should be in control of our own personal data and organizations that embrace this new reality and respect customer privacy will be in the position to create trust-based relationships with customers and prospects that builds loyalty and keeps them coming back.
Business can expect more, not less regulation around the use and handling of customer data. As a result, it will be incumbent on them to navigate an increasingly complex set of laws that will vary by country and state. The impact of non-compliance and violations, even if unintentional, have the potential to be insurmountable for businesses, putting their very existence at risk. For online sellers, the ability to comply with these new regulations will depend heavily on the tools provided by their commerce technology partners. Such tools should allow businesses to manage all customer data, including demographic information and behavioral data like browsing history and customer preferences. Businesses also need the ability to track how and where customer data is used, any third parties it’s shared with, give customers the ability to modify, anonymize and delete their data, and to let customers opt in or out of customer data collection.