Last year, California passed the California Consumer Privacy Act (CCPA) which will come in to force on 1st January 2020. This act establishes requirements for the protection of personal data of California residents which will affect US and global companies.
The CCPA does not only impose restrictions on data trading business models, widely spread across the US, it also requires companies to achieve a compliance standard similar to the General Data Protection Regulation (GDPR) in the EU. Especially in relation to transparency requirements, individuals’ rights and contractual frameworks.
Today, compliance teams in US companies, particularly in California, are already sceptical about the need to comply with CCPA as the act does not apply to all businesses. In order to decide whether the CCPA applies to your company the following criteria must be considered:
- Is the personal data you are processing about individuals who are residents in California; and
- If your company is processing this information you must either:
- have gross revenues exceeding $25 million;
- purchase personal data on 50,000 or more consumers, households, or devices; or
- derive 50% or more of your annual revenues from selling consumers’ personal data.
If your business meets the criteria above, your CCPA compliance journey must be initiated as soon as possible as the start of 2020 may be a tough one with financial and reputational repercussions. In particular, the California Attorney General, who has been provided with additional financial support through the Consumer Privacy Fund, will be able to enforce the new law and bring forward class actions to impose civil penalties ranging from $2,500 per violation to $7,500 per intentional violation. Additionally, in the case of a personal data breach, consumers will be able to submit claims for statutory damages of up to $750 per consumer. When these penalties and statutory damages are combined into a class action law suit, business exposure becomes significant.
Recently, we witnessed a heavy financial penalty and restitution placed on Equifax of $600 million, the outcome of a data breach under current data protection laws. It is just a matter of time until something similar happens to companies as a result of violating the CCPA.
What are the key requirements to comply with the CCPA?
Firstly, businesses must carry out an assessment to understand whether they are affected by the CCPA. This must primarily focus on the jurisdiction of business activities, individuals affected, and the nature of data processing operations. It is advisable to run these assessments as early as possible due to CCPA obligations, significant changes to business models and the technical implementations that may be required.
Secondly, businesses must decide how they are going to deal with California residents’ personal data. More specifically, some of the CCPA provisions, such as offering financial incentives for collecting and selling personal data, are only applicable in California. For this reason, it is important to identify where your business model and data processing procedures will deviate from global or EU practises and what you need to do to make sure you are compliant with the CCPA.
Moreover, not only will companies have more stringent transparency obligations requiring them to inform individuals to a similar degree as the GDPR, but more information with respect to the sale of personal data will have to be disclosed. On top of the right to be informed, California residents will have to be granted a range of other consumer rights including the rights:
- to request and receive personal data and information about their data processing;
- to delete their personal information;
- to opt-out from the sale of their personal information; and
- to receive a copy of personal data in a format suitable for transferring to another service provider.
Some of these rights may be new to some businesses, and therefore it is important to draft or amend existing procedures to make sure that individuals’ requests are dealt with in line with the CCPA.
Children will also have a right to opt-in to the sale of their personal data and this will leverage a need to set up and apply age verification procedures. As a result of exercising any of these rights, companies will be prohibited from adopting any aggressive business models, such as denying goods or services to individuals or otherwise discriminating consumers.
Finally, the CCPA will also require businesses to review existing personal data security practices and procedures to ascertain that they are implementing sufficient measures to prevent and mitigate personal data breaches. In addition, vendor management and data sharing with third parties (mainly in relation to the sale of personal data) will have to be reviewed by setting up stringent contracts which aim to clearly frame and limit the scope for data processing.
There is no doubt that the CCPA requirements have a significant impact on businesses operating in California, especially the ones that have not already reviewed their data processing in line with the GDPR obligations. This will trigger a great deal of compliance work which needs to be addressed ahead of January 2020. As a starting point, we suggest:
- assessing how your business is affected by CCPA;
- deciding what you need to change in your business model, internal policies and procedures; and
- embedding changes to your day-to-day activities and focussing on customers and engagement with them.