Implications of the California Consumer Privacy Act of 2018

It’s no secret, consumers are increasingly mindful of who is accessing, collecting, receiving, storing and otherwise processing their personal data. In an effort to standardize data protection requirements across the European Union and improve trust in the rapidly expanding digital economy, the European Parliament and Council introduced the General Data Protection Regulation (GDPR), which went into effect this past spring.

The GDPR is effectively changing the way business is conducted around the world, with massive implications for global ecommerce. And we’re now seeing the push for data protection in the United States with the adoption of the California Consumer Privacy Act of 2018 (CCPA).

Going into effect January 1, 2020, the CCPA applies to businesses that collect, sell, or otherwise process information about California residents. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses. It covers any business that meets revenue or data collection volumes and that collects, processes or sells information about California residents.

Where did this come from?

California’s privacy law is the state’s attempt to rectify the excesses revealed by Cambridge Analytica and Facebook, and other organizations in which consumer information was used, sold and frequently ravaged without consent. It imposes new measures on companies that do business in the state that will force them to dramatically change the way consumer information is handled.

The CCPA gives people access to the information that companies have stored, enables them to opt-out of having their data shared or sold, and includes the EU’s concept of the right to be forgotten. The law also allows companies to compensate people for the sale of their data, and it is enforceable by the state Attorney General.

Who does it affect?

Similar to the GDPR, the CCPA does not require a physical presence in the state. Instead, organizations must simply conduct business with California residents and either have an annual gross revenue in excess of $25 million; derive 50 percent or more of its annual revenues from selling consumers’ personal information; or buy, receive for business commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices, annually.

Companies that meet these requirements need to read the law in its entirety to fully grasp the impact it will have on their business. It’ll be necessary to review internal policies and procedures to be able to appropriately respond to consumers’ requests for access, deletion, or information related to the sale or disclosure of their personal information.

Establish an open dialogue with consumers

Companies that meet the law’s criteria must inform consumers what type of personal information will be collected (for example, their name, email, phone number, etc.) and for what purpose, at the point of data collection. Companies also must be able to respond to individual consumer requests asking what specific type of personal information has been collected. With this in mind, companies should assess their reasons for processing data, and storage and processing activity must align with the law by its effective date. As these transparency standards are backed by legislation, it’s increasingly important for brands to remain honest with their customers if they want to retain their loyalty.

Be ready for access requests

Consumers can request a full record of their personal information that is collected by a business. Under the CCPA, businesses are required to disclose the type of personal information collected, where the personal information is collected, the business or commercial purpose for collecting or selling this information, and the type of third-parties with whom the information will be shared. This creates a unique need to have the ability to verify consumers’ requests for information and requires tools to quickly provide access to the requested data. On the backend, companies must work together to honor the inquiries, logging them and tracking any actions taken in an easy to recall repository.

It’s important to start planning and implementing technological improvements to information systems that may be necessary to process consumer requests and their rights to opt-out of the sale of personal information. Secondly, it’s necessary to update contracts with third-parties and service providers with whom consumer personal information is shared to ensure that the vendor can appropriately respond to consumer requests to delete information.

Give consumers ability to opt-out of sharing personal data

Not only are companies required to track the data on file and how it’s used, they must proactively disclose if personal data is sold, which can be an exchange of data for other valuable consideration beyond monetization. The law enables customers to opt-out of having their personal information sold to third-parties, and businesses cannot ask consumers to change this selection for at least 12 months.

For any consumer who requests to opt-out, companies must be sure that the user is actually the given subject of the personal data. When this request happens, one recommended approach is for a company to ask for at least three data points that are unique to that person. In ecommerce for instance, this can be an order ID, email address and physical address. Additionally, it is advisable for companies to incorporate security questions and/or multi-factor authentication into their processes to provide additional security.

Minors require special attention

Businesses must consider another set of requirements specific to minors. Parents are required to give consent regarding the sale of data for children younger than 13 years old, and businesses must track this adult consent. Children ages 13 to 16 years old can opt in themselves. If a company’s services could potentially target children, it is imperative to develop an age verification system before collecting any data to avoid potential non-compliance.

Not complying will come at a price

The CCPA carries potential fines of up to $2,500 per violation, which increases up to $7,500 per violation if the violation is deemed to be intentional. One thing to note, other than for a few notable exceptions outlined in the law, the CCPA can only be enforced by the office of the Attorney General of the State of California.

In addition, the law gives companies the opportunity to address their non-compliance issue within 30 days of notification before incurring financial penalties. To avoid financial loss and potential impact on consumer trust, an internal risk assessment is necessary to understand what data the organization collects and its data handling practices.

This is just the beginning

From the market value of companies that sell ads to how companies interact with their customers, the data protection movement is a shifting landscape that will have wide-ranging effects. The CCPA is likely the first in a long line of similar pieces of legislation, which will have implications in the business world.

A company should ensure that it has good data handling practices in place, not just to comply with the CCPA but also to confidently demonstrate its commitment to data protection, security and compliance generally. Businesses should complete its own risk assessment based on the specific sections in the Bill, asking the right questions throughout the company, and identifying any risks as a result. Companies should also develop training materials, including tailored in-person trainings, for all personnel who are responsible for handling personal consumer data. Complying with this law should be thought of as a universal program that crosses every segment of a company. Relying on top leadership support can help ensure it’s given the attention needed.

Don't miss