By Jessica Cowle

Over the last five years, businesses have faced increased pressure to comply with customer privacy regulations. GDPR (General Data Protection Regulation) is likely the first of many global privacy regulations — and now it looks like similar regulations have made their way to the United States.

In 2017, California became the first state to set statewide privacy regulations.  If you host data from any California citizens — which likely applies to most U.S.-based companies — then you will have to comply.

What is the CCPA?

The California Consumer Privacy Act (CCPA) was created to protect the privacy and data of consumers. The CCPA initiative states that the act is intended to “give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.” The act requires businesses tell consumers what data its collecting and gives consumers the right to say no to the sale of their personal information. It will also allow consumers to sue companies if their personal data is breached.

When will CCPA go into effect?

CCPA is set to be implemented on January 1, 2020.

What will the CCPA Accomplish?

According to the official California Consumer Privacy website, the act will accomplish three major goals:

1. Consumers will have the right to know what information companies are collecting.
   • Businesses use personal information every day for targeted advertisements, decision on pricing and level of service given and have an extensive electronic file on the consumer.
2. Consumers will have the right to say no to a business sharing or selling personal information.
   • Businesses have extensive electronic customer records they know the customer’s address, current location, web browsing history, family members, age and financial information. They are able to sell this information for their own gain.
3. Consumers hold the right to protections against business that do not uphold the value of privacy.
   • There will be legal consequences to businesses that don’t respect consumers’ privacy.

Each business will be held accountable if information is compromised due to their failure to take preventative security measures.

Which companies need to comply with CCPA?

Companies that meet any of the following criteria will be expected to comply with CCPA:

• Company must exceed an annual gross revenue of $25 million,
• Company obtains personal information of 500,000 or more California residents, households, or devices annually; or
• Company obtains 50 percent or more of their annual revenue from selling California residents’ personal information.  

Most companies in the United States have customers in California and will likely be required to comply if they want to continue to receive information from their California customers.

Remember, California is likely the first state of many to implement these regulations. Eleven states, including New Jersey and Washington, have introduced similar legislation.

How is CCPA Different from GDPR?

GDPR was implemented on May 25, 2018 to standardize the data protection law across all 28 European Union (EU) countries. It requires businesses to protect consumers’ personal data for transactions that occur within the EU and affects any US business that operates in the EU.

Unlike GDPR, CCPA only applies to businesses in the state of California, not the European Union. CCPA also focuses on selling personal information for profit, whereas GDPR focuses on data ownership and rights of deletion.

What does my company have to do in order to comply?

Companies first need to step back and determine if they want to maintain separate privacy notices for California residents and all other clients or create a single unified notice. Either way, most US-based companies will have to update their privacy policies to comply with CCPA.

In addition, your company will have to;

• Review and understand what personal information is collected by your business.
• Understand how the personal information collected is used, confirm if the information is sold to third parties or shared and what is the purpose of such sharing.
• Review internal policies and procedures regarding the collection of personal information.
• Update internal and online privacy policies to comply.
• Prepare policies and procedures to make sure your company can respond when customers request access to, deletion from, or information related to the sale or disclosure of their information.
• Implement and prepare technological solutions that process requests made by the customers to opt-out of the sale of personal information.
• Train employees responsible for handling customers’ personal information.
• Review contracts with service providers that have consumer personal information provided by your business.
• Ensure that third party audits of service providers who have access to your consumer personal information are compliant with CCPA.

For more detailed information about how to comply with CCPA, we recommend the following resources:

• The official Californians for Consumer Privacy website
• Your Readiness Roadmap for the CCPA (PwC)
• California Privacy Law, Third Edition

CCPA is just the beginning. By 2025, expect more states to sign similar legislation, giving every US consumer the right to know exactly how their data is being used. Companies would do well to prepare now rather than wait until the deadline.

References

• Compliance is Huge Roadblock to Cloud Migration, Report Says. (2019, January 17). Retrieved from https://www.logicworks.com/blog/2019/01/compliance-is-huge-roadblock-to-cloud-migration-report-says/
• Faitelson, Y. (2017, December 04). Yes, The GDPR Will Affect Your U.S.-Based Business. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#666a15f36ff2
• Goldman, E. (2018). An Introduction to the California Consumer Privacy Act (CCPA). SSRN Electronic Journal. doi:10.2139/ssrn.3211013 Initiative 17-0039 (Amdt. #1)
• Nadeau, M. (2018, April 23). What is the GDPR, its requirements and facts? Retrieved from https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
• Nicastro, D., & Nicastro, D. (2018, August 28). What is the California Consumer Privacy Act of 2018 and How Does it Affect Marketers? Retrieved from https://www.cmswire.com/customer-experience/what-is-the-california-consumer-privacy-act-of-2018-and-how-does-it-affect-marketers/
• PricewaterhouseCoopers. (n.d.). Many US businesses doubt they will meet California privacy law deadline. Retrieved from https://www.pwc.com/us/en/services/consulting/cybersecurity/pulse-survey-ccpa.html
• PricewaterhouseCoopers. “Your Readiness Roadmap for the California Consumer Privacy Act (CCPA).” PwC, www.pwc.com/us/en/services/consulting/cybersecurity/california-consumer-privacy-act.html.
• SaaS Company Achieves GDPR Compliance with Logicworks. (2019, January 29). Retrieved from https://www.logicworks.com/blog/2019/01/saas-gdpr-compliance-assessment-remediation/
• The California Consumer Privacy Act: Will It Apply to Your Organization? (n.d.). Retrieved from https://www.coalfire.com/The-Coalfire-Blog/January-2019/California-Consumer-Privacy-Act-Will-It-Apply
• Your life is not their business. (n.d.). Retrieved from https://www.caprivacy.org/about
• “CCPA Organizational Readiness Checklist.” CENTRL, www.oncentrl.com/CCPA-organizational-readiness-checklist.
• “The Consumer Right to Privacy Act of 2018” – Version 2 No. 17-0039 (Filed October 12, 2017) (n.d.). Retrieved from https://info.trustarc.com/Web-Resource-2018-07-12-GDPR-ResearchReport_LP.html