At the start of this year, a landmark new consumer privacy law came into effect, writes Mark Kahn, General Counsel & VP of Policy at Segment. The California Consumer Privacy Act (CCPA) was passed to protect the data privacy rights of all California residents and it inevitably drew comparisons to the EU’s General Data Protection Regulation (GDPR).
On 1st July, California’s regulators plan to begin doling out fines to punish those organisations that breach the law. As a result, businesses have been rushing to become compliant with the new rules.
Some had hoped that, due to the coronavirus pandemic, California Attorney General Xavier Becerra might push back enforcement. In March, a group of more than thirty signatories came together to request an extension of the time available to reach compliance. However, despite the unprecedented disruption, the Attorney General’s Office remains committed to the original deadline.
For European businesses, it would be easy to assume that the CCPA will have little bearing on them. Unfortunately, this could be a big mistake. Even though this is a piece of state-level American legislation, enforcement will affect companies across the globe.
Don’t be Fooled by the Name
To understand how the CCPA relates to your business, we must first take a closer look at the fundamentals of who is covered by the regulation.
The CCPA affects all for-profit companies that:
- Do business in California
and
- Collect personal information of consumers that are California residents
and satisfies at least one of the following criteria:
- Buys, receives, sells or shares the personal information of at least 50,000 California residents, households or devices
or
- Has an annual gross revenue of over $25,000,000
or
- Derives more than 50% of annual revenue from selling the personal information of California residents
When deciding whether or not your business is covered by CCPA, it’s important to bear two things in mind.
Firstly, remember that the sheer size of California means that your business might interact with the personal information of more California residents than you might think. It’s the most populous state in the US; at 40 million, its population is bigger than most European countries.
Secondly, the CCPA is ambiguous with some of its definitions. For instance, there is confusion about what ‘selling personal information’ means in practice. What is clear however is that ‘selling’ does not need to involve the exchange of a payment: other actions, including those as typical as online advertising could be viewed as ‘selling’ if it involves cookie sharing to track online behaviour.
The CCPA is also vague about what it means to ‘do business’ in California. European businesses should be wary of the fact that, in the eyes of the law, they do not need to have employees or a subsidiary in the state to be considered to be doing business there. Simply having customers in California is likely to be sufficient.
This all means that CCPA could certainly apply to your business even if you are fully based in Europe. And with the fines for non-compliance and breaches likely to be considerable, it is best not to take the risk. When enforcement begins, the fine for unintentional violations will be $2,500 – for every violation. Put simply, this means if you failed to comply in the case of even just 100 California consumers, the penalty would be $250,000 (or roughly £190,000).
How You Can Get Ready for 1st July
Your business will almost certainly have taken steps to ensure compliance with GDPR. However, sadly this doesn’t mean that you are automatically compliant with the CCPA since there are key differences between the two regulations.
Getting ready for yet more privacy regulations might seem like an impossible undertaking for your business, especially at such a difficult time for many due to COVID-19. However, there are some fairly simple steps that any organisation can take to kick off the compliance process:
1> Your business needs a full view of the information you are collecting: the majority of GDPR-compliant companies will already have conducted a data-mapping exercise. This should be reevaluated for the CCPA to give your organisation an up-to-date understanding of what data it is collecting. Where possible, use the work that you should have already done to comply with GDPR to help you – and be aware that you could be vulnerable to punishment under the CCPA through the companies you work with, so their data practices should also be considered.
2 > Bring your privacy policy up-to-date: Update your privacy policy with a new section for the CCPA including key information such as a detailed description of the privacy rights of California residents and the categories of data that you collect and share. However, updating your privacy policy won’t be valuable unless you unify your business around it; all staff need to be given visibility into your policy and it should play a governing role in all of your commercial activity.
3> Make CCPA a priority: Budgets are likely to be tight given COVID-19, but it is important that your business dedicates resources to compliance where it can. The potential for large financial penalties from 1st July onwards makes this worthwhile. For example, you may need to make material changes to your website or app if it collects personal information (as defined by the CCPA). You either need to state expressly that you never sell personal data, or you must include a ‘Do Not Sell My Personal Information’ link that will allow the consumer to exercise their right to opt-out of the ‘sale’ of their information.
Preserving Online Privacy in Times of Coronavirus
Many businesses are operating remotely right now due to COVID-19, with staff working from home and core services being offered digitally. All this means the extent of data flow is greater than ever; European companies must get on top of how they are interacting with data, or risk leaving themselves exposed to punishment come 1st July.
Businesses must also make sure they track the latest updates on CCPA carefully, since some key details regarding how the regulation will be interpreted and applied are still to be determined by the California Attorney General. While the GDPR had been scrutinised for a lengthy period before it was introduced, the CCPA was signed into law quickly in 2018, just months after it was first put forward by a group of consumer advocates.
In addition, this same group of consumer advocates have now put forward the California Privacy Rights Act (CPRA), known as ‘CCPA 2.0’. With strong polling numbers, it is likely to be voted into law in November 2020 and become effective in January 2023. CCPA 2.0 would establish the California Privacy Protection Agency to enforce privacy laws, and would amend the original CCPA to add a number of privacy expanding provisions.
The fact that we’re still not sure what the implementation of the CCPA will look like and how CCPA 2.0 could change things makes it especially important for businesses to stay focused on privacy in the months ahead.