In 2018, there was a lot of buzz about Europe’s data privacy law – known as GDPR (General Data Protection Regulation). Established in the mid-1990s, this update to a data protection regulation provides more rights for European Union (EU) citizens and adds transparency about how data is managed and handled. Importantly, GDPR only applies to European citizens when they are physically located in the EU. So, for US-based companies, the question has always been looming about if – and when – similar legislation will pass in the United States. The answer is 2020. Here’s what you need to know to prepare for the California Consumer Privacy Act (CCPA).
What is the California Consumer Privacy Act (CCPA)?
California’s government recently signed a data privacy law – the California Consumer Privacy Act (CCPA). The new policy will give California residents more control over how companies collect and manage personal information like names, addresses, email addresses, and more. Affected California companies will be required to let consumers:
View the data being collected
Request that this data be deleted, and
Opt-out of having this data sold to third parties.
The bill will go into effect on January 1, 2020 and companies that violate this law will be subject to a $7,500 fine per consumer. Companies impacted include any for-profit business that collects consumers’ personal data, does business in California, and meets at least one of the following three criteria:
Gross revenues over $25 million
Has personal information of 50,000 or more consumers, households or devices, or
Earns more than half of its revenue from selling consumers’ personal information.
Personal information defined by this act spans a large set of identifiers for a consumer or a household, but some of the most common include: name, signature, social security number, passport number, bank account number, postal address, unique personal identifier, online identifier IP address, email address, account name, drivers license number, passport number, and credit card number.
What should businesses in California do?
After determining that this act impacts them, California businesses need to take several steps prior to this bill going into effect in 2020:
Mapping their inventory of personal data and identifying how it’s collected, used, sold and shared. (Note that the CCPA includes requirements that are subject to a 12-month data lookback.)
Ensure they have a process in place to quickly provide data to consumers who request it.
Provide a mechanism to opt-out of this data being collected and shared.
Educate staff about this law so that there are no unintended violations.
Which states are next?
While California is carving the path for enhanced consumer privacy in the United States, it’s likely just a matter of time until other states follow suit. Maine, Illinois, Louisiana, Maryland, New York, Pennsylvania, Rhode Island, Texas and Washington have all introduced privacy law bills in their respective states.
Additionally, all 50 states have passed data breach laws that vary on how each protects consumers in the event of a data breach. Notably, New York’s legislators passed the Stop Hacks and Improve Electronic Data Security Handling (SHIELD) Act in July 2019, which goes into effect in March 2020. However, no other states to date have passed a consumer privacy act like California.
How can my website vendor help?
If you haven’t already, make sure that your website vendor is aware of how your site will need to be updated to support the CCPA. Some companies and organizations may choose a home-grown internal system to comply with this act, while others may leverage a third-party privacy management solution to integrate with the site. Whichever is best for your situation, make sure that you determine your exact plan early on so you can be prepared for January 1, 2020.
To discuss your specific consumer privacy needs and your website, talk to a ZAG Interactive representative today.
Disclaimer: This article has been prepared by ZAG Interactive to provide information of interest to our readers. It is not intended to provide legal advice. Please consult your own legal or compliance team for specific questions and concerns.