With so many devastating data breaches happening across the world over the past few years, it’s no surprise that governments are cracking down on data privacy protection laws. Consumers are concerned about how their private data is being handled — and after high-profile incidents like the Yahoo and Equifax breaches, who can blame them?
Cyberattacks are becoming more sophisticated and more prevalent, making them seem like a part of daily life both in the U.S. and around the world. But new laws are looking to change that perception. First the EU’s General Data Protection Regulation (GDPR) was signed into action in 2018, and now California has created their own powerful consumer data privacy law, the California Consumer Privacy Act (CCPA).
Similar to the GDPR, California’s new guidelines were signed into law on June 28 by Governor Jerry Brown and will begin to take effect on January 1, 2020.
Given that both laws were created for the same reason — to protect consumer data — you might think that the implementation of measures you already took to meet the GDPR guidelines will cover you and your company for the CCPA as well … but you’d be wrong. Although they are quite similar, the two have some fundamental differences. Here are the questions you should ask yourself to make sure you and your company are covered when the CCPA takes effect in 2020.
1. Does the CCPA Apply to Me?
Unlike the GDPR, which applies to the processors of personal data established both inside the European Union and those established outside that are processing data on behalf of the EU’s subjects, the CCPA only applies to companies that are doing business in the state. Essentially, the California law is applicable only to those companies doing business with Californians or inside California itself.
Even within California, the CCPA only applies to companies that satisfy one (or more) of the following:
- have annual gross revenues of $25 million
- have obtained the personal information of 50 thousand or more California residents, households, or devices annually
- have acquired 50 percent or more of their annual revenue from selling California residents’ personal information
2. What Does Personal Data Mean Here?
In terms of the CCPA, personal data refers to any information that identifies or relates to a particular consumer, household, or device. This means that utilities information counts as personal data in just the same way the consumer’s IP address would.
3. What are the Users’ Rights?
Unlike the GDPR, California’s new law does not require explicit consent and it doesn’t have any defined legal grounds for processing. It does, however, offer consumers effective ways to protect their personal data.
Any site or company that collects personal data must clearly state:
- What rights consumers have
- What types of information have been collected
- How the information will be used
- What types of information (if any) have been shared with third parties in the last year
Additionally, companies must have processes in order to allow customers to view and/or delete all information the company has about them and opt out of the sale of their personal data. Each homepage should have a prominently placed link titled “Do Not Sell My Personal Information” and/or a toll free number to call for more information.
4. Do I Intend to Use This Information Commercially?
5. What are the Equal Rights Provisions of the CCPA?
Under the CCPA, companies are allowed to offer incentives (financial or otherwise) for the collection or sale of personal data. This implies that businesses could differentiate the prices of services in exchange for personal data. However, the CCPA simultaneously states that companies are prohibited from denying goods or services, changing prices, or providing different levels of quality to consumers exercising privacy rights and that all consumers are guaranteed equal service and price.
Seems fairly contradictory, doesn’t it? Keep in mind that the CCPA is considered a work in practice and will probably be amended quite a bit before or right after it goes into effect on Jan. 1, 2020.
6. Is a Certain Level of Data Security Required?
Although the numerous data breaches of recent years are a heavy influence on the creation of the CCPA, it isn’t as strict as the GDPR on what is required of companies. Anyone collecting the personal data of Californians is expected to implement and maintain reasonable security measures, but aren’t necessarily required to report data breaches that occur.
In this instance, if you are already complying with the GDPR, you probably won’t have to take any additional action to be in compliance with the CCPA.
7. What are the Repercussions of Not Following the CCPA?
If you do business with consumers in California and fail to meet the requirements of the CCPA once it’s fully in effect, civil action may be brought against your company by the California attorney general. For noncompliance, the penalties per violation are $2500 (if unintentional) or $7500 (if intentional). Additionally, if personal information is exposed in a data breach, consumers can sue for $100-$750 per incident — or greater if the actual damages exceed $750.
With so many new changes to privacy laws, it can be difficult to keep up with the exact requirements. How do you know what applies to you and your company? What changes you need to make to be compliant? Hopefully asking these seven questions will help you get on the right track!
And if you need help meeting the website requirements, just say the word! VIEO Design is always ready to make sure your site is the most up-to-date, powerful marketing tool in your arsenal — and that includes making sure you meet all the requirements of the newest privacy laws. Contact us now to learn what we can do for you and your company!
Disclaimer: The information contained in this post is not the same as legal advice nor a recommendation on any particular legal interpretation. Please consult your attorney for legal advice on GDPR compliance specific to your company's needs.