What you should know about California's Consumer Privacy Act
Data is becoming more and more valuable all the time — but at the same time, customers have less control over their data than ever. As a result, legislators around the country are looking for ways to give consumers more power over their data.
In California, this has led to the most comprehensive privacy and data security act passed so far in the country — the California Consumer Privacy Act (or CCPA). The legislation, passed in 2018, came into effect on the first of January, and the state plans to begin enforcing the law starting in July. That means that companies have just a few short months to understand what the legislation requires, how it affects them and the steps they’ll need to take to become compliant.
At the same time, California consumers will receive a slate of new data rights that they need to know about.
Below, we’ll break down everything you need to know about the California Consumer Privacy Act (CCPA).
The CCPA in a Nutshell
In essence, the CCPA assures a set of certain data rights for citizens of California. These rights require businesses to give citizens notice if they intend to collect their personal data, and generally gives consumers a lot more control over how that data gets used.
Under the law, consumers will have the right to know what data a business has on them and prevent businesses from selling their personal data. They will also have the right to request that a business deletes all of their personal data that they have stored.
Also, businesses won’t have the right to discriminate against customers for exercising their CCPA privacy rights — if a customer asks for a business to delete their data or stop selling it, the business has no grounds to raise prices or refuse service.
While companies won’t be penalized for not providing you with these rights until July, some businesses — like Facebook and Google — will already delete any of your data that they are holding on to upon request.
The CCPA binds all businesses that operate in California — as well as those that have clients in California, so long as they meet one or more of the following criteria:
- The business’s gross annual revenue is greater than $25 million,
- The business receives, shares or sells the personal information of more than 50,000 individuals, or
- More than half of the business’s revenue comes from the sale of personal data.
Companies outside of the United States that meet one or more the above criteria are also bound by the law, so long as they want to continue doing business in California.
How Businesses Should Prepare
Businesses will need to be ready to fulfill any of the requests that consumers can make under the law. All businesses bound by the CCPA should have processes in place that can inform customers of what data is stored, prevent the sale of protected data and jettison relevant data upon consumer request.
Larger businesses may benefit from creating an office of CCPA compliance that can help ensure those processes are in place and functional by the time July rolls around.
Companies that aren’t sure if they fall under the above criteria should investigate whether they’re bound by the law. Even if an out-of-state business doesn’t meet those above criteria, they may still be considered as operating in California. For example, a 2019 California Office of Tax Appeals ruling found that an out-of-state business with a 50 percent stake in a California-based LLC counted as doing business in California.
Even businesses that may not seem like they would fall under the CCPA can be bound by the law, depending on their holdings.
Preparing for California’s Consumer Privacy Act
California’s new privacy act, which came into effect on the first of January, is one of the strictest so far in the nation. The law outlines rights that consumers have in regard to who can collect, sell and hold on to their data. All businesses based in California are bound by the act, as well as many businesses that are based outside of the state.
Businesses will need to prepare for the act and should have processes in place to guarantee that a specific customer’s data can be expunged, or marked as not for sale. Otherwise, these businesses can risk falling out of compliance with the act.