It seems like not too long ago, we were all preparing for GDPR to come into effect. Now, it’s another year and another regulation. This time, it’s the California Consumer Privacy Act (CCPA) that looms large on the horizon for many marketers. What is it and what does it mean for you? We put together this list of frequently asked questions to help you make sense of the new regulation, as it stands now.
Note: This blog post is intended to provide an overview of the CCPA and is not intended as legal advice. We suggest you consult an attorney to understand how the CCPA affects your company and how to ensure your compliance.
When does the CCPA go into effect?
It goes into effect on January 1, 2020. Enforcement won’t start until July 1, 2020 OR six months after they publish the final regulation.
You mean it’s not final yet, but it goes into effect in eight months?
That’s correct. There are still pending amendments and more guidance is expected to be published.
Who is covered by this regulation?
California residents only.
Who must comply with this regulation?
Any for-profit business who does business in California and collects personal information of California residents
- Has a gross annual revenue in excess of $25 million OR
- Annually receives/processes 50,000 pieces of personal information of a California consumer, household or device OR
- Derives 50 percent or more of their annual revenues from selling California consumers’ personal information
Is 50,000 pieces of personal information annually a lot?
Not really. “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It includes, but is not limited to, the following: Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, telephone number, insurance policy number, education history, employment history, credit card number, or other similar identifiers. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
The CCPA includes a lot of categories of data and relates it not only to a natural person but a household. If you only consider IP address, which is tracked every time someone visits a web page, the volume will add up quickly.
“Selling” means providing the information in exchange for money?
Actually, no. A “sale” under the CCPA includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” I’m interpreting that as “sale” means exchanging personal information for any value and it does not have to correspond to money.
What are the penalties for violating the CCPA?
There are two types of penalties included in the CCPA as it is written today:
1. Direct Right of Action for Data Breaches
- Consumers have the direct right of action against a business if their personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business failing to implement and maintain reasonable security measures
- $100 – $750 per consumer incident
2. Injunctions and Penalties for CCPA Violations
- The Attorney General can fine businesses for non-compliance with the CCPA
- Up to $2,500 for each violation
- Up to $7,500 for each intentional violation
What else do I need to know about the regulation?
The CCPA includes a set of consumer rights similar to GDPR.
1. Right to Disclosure – Businesses have an obligation to disclose the personal information collected and “sold.”
2. Right to Deletion – Consumers can request that a business delete their personal information.
3. Right to Opt Out – Consumers have the right to opt out of the sale of their personal information.
4. Right to Nondiscrimination – Businesses are obligated to not discriminate against consumers who exercise their rights.
What operational changes will we need to consider?
2. Methods for consumers to exercise their rights – The mandatory methods include a toll-free number and a website address.
3. Links for those that object to their information being sold – You must create a link on your company’s homepage (and any page where personal information is collected) that specifically says, “Do Not Sell My Personal Information.”
4. A process to comply with any consumer request to not sell their personal information – The link provided for customers to opt out of the sale of their personal information needs a process behind it to collect, store and then suppress those individuals from data “selling” activities.
What if our company doesn’t “sell” personal information? We are good, right?
Where do we start with our efforts to be compliant?
As with most regulations like this, the best place to start is data mapping. If you already comply with GDPR, you will have most of the work done already, but it is a good time to revisit the data mapping and vendor information. You will need to know what personal information you collect, where it is stored, where it is shared and if any of it is shared in exchange for “value.”