The U.S. doesn’t have a federal comprehensive privacy law like the European Union’s General Data Protection Regulation (GDPR), but the legislatures in individual states have been moving to fill
in the gaps by passing their own statutes to provide privacy protections to their residents. California’s Consumer Privacy Act (the CCPA) is at the forefront of these, and it goes into effect January 1, 2020 – which is right around the chronological corner.
California has the largest economy in the country, with some of the world’s largest companies located there (Apple, Google/Alphabet, Facebook, Intel, Oracle, HP, Disney, Wells Fargo, Chevron – the list goes on). But a business doesn’t have to be based in the state to be impacted by the CCPA. According to Forbes, this state law could affect almost all businesses in the U.S.
The objective of this and other privacy laws is to give individuals more control over the personal data that is collected, processed, and stored by businesses, government agencies, and other organizations.
History of California privacy law
Privacy has been considered an “inalienable right” under the California state constitution since the voters passed an amendment in 1974 (Article 1, Section 1). Prior to passage of the CCPA, the state already had a number of general privacy laws applicable to certain people and situations, such as the California Electronic Communications Privacy Act, the California Online Privacy Protection Act, the Consumer Credit Reporting Agencies Act, the Protection of Victim and Witness Information section of the Penal Code, the Domestic Violence Victim Privacy section of the California Civil Code, and many more.
The CCPA was preceded by the California Customer Records Act, which focused on security of personal information “owned or licensed” by businesses, and the Shine the Light law (California Civil Code section 1798.83) required notification of customers’ rights and information about their personal information.
The CCPA addresses both issues, and goes farther.
Does your organization fall under the CCPA?
Most companies that do business over the web today will have customers who reside in California. If your organization collects, processes, and/or stores any kind of personal data pertaining to such residents, you need to sit up and take notice.
The statute lays out three criteria that make an organization subject to the regulation’s requirements. The catch is that you only have to meet one of these to legally come under the jurisdiction of the law.
- Organizations with gross annual revenues in excess of $25 million. Note that this specifies revenues, not profits.
- Organizations that buy, receive, or sell the personal information of 50,000 or more consumers’ personal information.
- Organizations that derive 50% or more of their annual revenues from selling consumers’ personal information.
The CCPA is modeled after the GDPR in many respects, but it actually goes farther in its broad definition of what constitutes personal data. That means your organization could be in compliance with the GDPR and still need to meet additional requirements under the CCPA.
You might be breathing a sigh of relief if you don’t have any California customers or you work for a smaller organization that doesn’t meet any of the three criteria above. However, privacy is becoming more and more of a big issue and it’s highly likely that other states will follow California’s lead and adopt similar laws, and there is also a good chance that these laws will be strengthened as time goes on and will eventually apply to most businesses. In addition, the federal government has been under pressure to adopt overarching privacy laws similar to those in the EU.
Defining “personal information”
If you’re familiar with the GDPR – as so many organizations are after scrambling to comply with the regulation by the May 25, 2018 deadline – you know that law defines “personal data,” per Chapter 1, Article 4, as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The GDPR also differentiates in Chapter 2, Article 9 between “personal data” and “special categories of personal data” with the latter often referred to as sensitive personal data, with stronger restrictions on processing of data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The CCPA definition of “personal information” is a bit longer, and includes all information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It specifically names (but is not limited to):
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in subdivision (e) of Section 1798.80. (name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information).
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information.
Personal information also includes inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. As you can see, this is a very comprehensive definition.
What is the impact of the CCPA?
If your company does fall under the CCPA, you may be wondering: exactly what does that mean for your business? For one thing, it means you might need a bigger compliance budget.
The standardized regulatory impact assessment for the CCPA (Berkeley Economic Advising and Research), predicted that direct costs of compliance could be as high as $467 million to $16.5 billion over the next decade.
These costs include legal fees, operational/labor costs, technical expenses, and business costs such as modifications to business models and policies. The dollar amount will vary depending on the type and size of the organization and its existing privacy protection processes.
The cost of non-compliance could be even higher, with fines of up to $7500 per violation.
Practical impact on consumers and businesses
The law grants certain rights to consumers and imposes certain obligations on organizations.
Rights of consumers
The CCPA grants the following rights to consumers whose personal data is collected:
- The right to know what personal data is collected, used, shared, or sold.
- The right to delete personal information that businesses are holding.
- The right to opt out of the sale of their personal information.
- The right to not be discriminated against (price or service) for exercising their rights to privacy.
Obligations of organizations
The CCPA imposes the following obligations on organizations that collect, process, use, share, sell, or store personal data of California residents:
- The obligation to provide notice to consumers before or when collecting their personal data.
- The obligation to create procedures for responding to requests from consumers to exercise their rights detailed above.
- The obligation to respond to such requests within specified times.
- The obligation to verify the identity of consumers who make requests under this act.
- The obligation to disclose financial incentives that are offered to consumers for the retention or sale of their personal data.
- The obligation to maintain records of consumer requests and the organization’s response, for at least twenty-four months (two years).
When the CCPA goes into effect at the beginning of the new year, it will impact a very large number of organizations, including many that are not located in California. If you’ve already taken the steps necessary to comply with the GDPR, you’re ahead of the game in achieving CCPA compliance – but don’t assume that it makes you automatically compliant with the California law. If your company falls under the CCPA, it’s important to make a full assessment and fill in any gaps to ensure that you have the appropriate privacy protections in place before enforcement goes into effect.