Introduction to the California Consumer Privacy Act (CCPA) for Businesses
The California Consumer Privacy Act (CCPA) introduces substantial changes in consumer privacy rules that will impact many companies doing business in California. Non-compliance penalties are steep. And with a January 2020 effective date, now is the time to prepare.
Here’s what you need to know about CCPA and how to get started implementing its requirements.
Google. Facebook. Marriott. Microsoft. Netflix. Apple. Rubrik. Airbus. Hessian.
No, this is not a list of hot companies in which we recommend you invest your bonus. Rather, it’s a sample of the high-profile companies that are facing fines or litigation due to data breaches or noncompliance with the European Union’s General Data Protection Regulation (GDPR).
One of the first widespread data privacy regulations in the world, GDPR is intended to grant citizens of the European Union control over their personal data and to simplify the regulatory environment for international business by unifying related regulations across the EU. It applies to all publicly- and privately-owned and nonprofit organizations doing business with citizens of the EU.
While we may yearn to brush off data privacy regulation as a Eurocentric concept, it will land in our laps domestically all too soon: the California Consumer Privacy Act (CCPA) is slated to roll out at the start of 2020. While not as regulatorily deep as GDPR, CCPA introduces substantial changes in rules and definitions that will impact many commercial companies doing business in California (which, incidentally, represents over 14% of the U.S. marketplace – more than any other U.S. state).
Note: While GDPR and CCPA apply to defined types of entities, for sake of simplicity we refer to all applicable organizations as “companies” throughout this article. The information shared in this article shall not be construed as legal, financial, or other subject matter area advice; interpretation and requirements should be validated by your company’s legal counsel.
CCPA is the most significant data privacy regulation in U.S. history
CCPA was passed by the California State Legislature and then signed by the Governor of California on June 28, 2018. A set of amendments were signed into law on September 23, 2018. It will be effective beginning January 1, 2020 (which is a Wednesday – you heard it here first!).
CCPA applies to any for-profit domestic or internationally-based company doing business in the state of California that collects consumer data and brings in annual gross revenue over $25 million, holds the personal information of 50,000 or more California residents, households, or devices, and/or earns 50 percent or more of its revenue from selling California residents’ personal information. Note that unlike GDPR, in its current state CCPA applies to neither government nor nonprofit organizations.
The five areas of rights under CCPA
The law grants residents of California new rights regarding the data that companies collect about them. These can be grouped into five areas:
- Consumers have the right to know what information companies are collecting about them and companies must be equipped to respond to consumers’ requests to provide the categories and sources of information collected by the company about them;
- Consumers may request a copy of the information collected about them (similar to the consumer information provisions of the Fair Credit Reporting Act (FCRA) of 1970);
- Consumers have the right to request that their personal data be deleted, and within defined bounds companies must comply;
- Consumers have the right to decline the sale or sharing of their personal data; and
- Companies can’t deny goods or services to a consumer who exercises their rights under the Act.
CCPA prepares the path for future regulation
CCPA provides consumer protections to Californians similar to those afforded to EU citizens by GDPR, but many of its definitions vary, and therefore how its requirements will need to be implemented will vary as well. CCPA is also differentiated by being the first of its kind in the United States, and will likely serve as a model for legislation in other states and, eventually, the federal government. States including Massachusetts, Washington, and New York are already discussing similar legislative action. The Washington Privacy Act (WPA) is currently making its way through state approvals. Analysts report that the requirements outlined in the WPA go beyond CCPA; it’s more closely aligned with GDPR. Predictably, there are now rumblings in favor of establishing a federal data privacy law to replace a network of varied state-led legislation.
Noncompliance with CCPA is non-optional
The penalties for noncompliance with CCPA were designed to incentivize companies to implement its requirements rather than wait for punishment. CCPA includes penalties for noncompliance that can escalate according to whether the offense is judged as intentional or not. Identified unintentional noncompliance, if not cured within 30 days, can result in a penalty of up to $2,500 per violation. That means a business with 1,000 California resident customers could face a penalty of up to $2,500,000. A violation deemed intentional can increase the fine to up to $7,500 per violation. So the same small business with 1,000 customers could face a fine of up to $7,500,000.
While steep, the fines associated with CCPA noncompliance may not be the largest risk. Depending on the type of violation, consumer-driven (civil) damages could cost companies millions. Should a data privacy breach occur, consumers could seek to recover actual damages as well. Other potential direct and indirect costs from noncompliance include legal and public relations damage control fees, lost employee productivity, and significant or even viability-threatening damage to company/brand goodwill.
In short: any applicable company doing business in California cannot afford to ignore CCPA as it represents tremendous risk to your company. So with the January 1, 2020 deadline fewer than three quarters away and the California Attorney General finalizing regulations and gearing up for enforcement, now is the time to begin the design and implementation of a CCPA adherence strategy.
If it’s not already in progress, kick off your company’s CCPA adherence program now
While this article is a solid summary, ground your (and your CCPA team’s) knowledge with the full text of the CCPA. Give it a read, or at least skim. It will take less than half an hour and give you a good idea of the breadth and depth of CCPA’s requirements. Take note of the areas that will most affect your organization. Those may be the areas to define leads first. And be sure to validate (including your legal counsel if needed) that your company is required to follow CCPA rules.
Then, if you haven’t already begun implementation planning, now’s the time. Communicate your vision and build design and implementation teams. You’ll need to work with data privacy specialists and lawyers, but the core of implementation will happen closest to the data. This means that your sales, marketing, HR, operations, and IT teams will be highly engaged in CCPA preparation. Ultimately this initiative will reach virtually all parts of your business. Working with trusted partners to help prepare your functional areas for CCPA will be critical to the success of your organization.
Our experience is that this initiative should be governed by senior executives in each function and led by a coordinated team across the business. Although executives will be part time, it is likely that there will be full time teams involved in many areas. Ultimately, CCPA will require you to develop a cohesive strategic vision, build new processes, implement new technologies, and potentially hire new people. This change will take time and the right team members.
Every challenge is an opportunity: make CCPA part of your competitive strategy
While your company’s investment to meet CCPA requirements may be hefty, don’t forget the opportunity to incorporate compliance into your competitive strategy. The more important data is to your company’s aspirations, the more vital it is to be ahead of the curve in data privacy and protection. CCPA is an opportunity to lead in this area. Those who have a vision and earn consumers’ trust – and then let consumers know about it with savvy marketing – will differentiate themselves.
A final note: you’re not alone
Here at Thought Logic, we were involved in several implementations of GDPR requirements prior to its effective date: we lived and learned from the complexity of consolidating mountains of data, and then building the systems to make it consumer-accessible. And after becoming effective on May 25, 2018, we’re already seeing (thankfully, not among our clients) both the challenges of GDPR and the results of inadequate preparation: the largest penalty for noncompliance to date, directed at Google, totals $52 million.
If you are interested in discussing this topic or kicking off the data privacy journey, please email Thought Logic’s Strategy Execution Practice Lead, Jonathan Brown, at firstname.lastname@example.org.