When It Does, Businesses in Every US State Could Be Affected
Every week, the number of data breaches against businesses breaks record numbers. Not only is the number of breaches breaking records, but the quantity of victims in each breach has reached staggering numbers. Facebook breaches alone soar (50 million in one, 540 million in another, to name just two), with each of their data breaches violating from tens to hundreds of millions. Capital One recently had 106 million records hacked, and the now infamous Equifax breach impacted 143 million US households.
These records belong to real people and more and more Americans and consumers around the world receive notification week after week that their account information has been compromised, stolen, and hacked. It might be banking info, credit card data, health information, academic records, or personal information like birthdate, social security number, address and more. Many if not most Americans believe confidential information about them has already been hacked.
In 2018, Europe took strong action to fight back against these exposures by implementing the General Data Protection Regulation (GDPR). The GDPR is the strongest regulation supporting – and penalizing violations of - data privacy to date. In a few short months, California will join Europe with a new regulation of its own - the California Consumer Privacy Act (CCPA) - that will be the strictest yet in the United States. Other states may follow suit before long.
Count Down to the California Consumer Privacy Act (CCPA)
This new regulation is scheduled to go into effect January 1, 2020, with efforcement policies following July 1, 2020. It’s the most expansive and comprehensive act a US state has put in place in support of consumers and like the GDPR, gives them more control over their information and how it’s used. Even though the law is in California, its reach will be throughout the US and likely even global. Similar to the way the GDPR has impacted countries in Europe and around the world, any business that handles a European citizen’s information is liable under the GDPR – so too the CCPA will affect companies outside California.
Your business will be affected if:
- You do business in California
- You have customers or potential customers in California
- Your business annual gross revenue is over $25 million
- Your business receives, shares, or sells personal information of more than 50,000 individuals
- 50% or more of your yearly revenue comes from selling consumer’s personal information
Restoring Some Order
The rising volume of data breaches demonstrates that consumer data is at risk and that it’s being poorly managed at large. The goal of these strict regulations is to give some control back to consumers. Once the CCPA is in effect, they will be able to be more involved in their own data management.
Consumers will have more rights in the following areas:
- Businesses must be very clear about disclosing their intent to collect any personal information and tell consumers of such an intent.
- Consumers have the right to know what personal information a company has collected, where the information came from, how the company plans to use it, and with whom it’s being shared. A consumer can ask a company to provide the following information about data collected about them, and the company is required to provide these items, among other things:
- Categories of personal information gathered
- Specific data collected
- Methods and purposes used to collect the data
- Third parties with whom the information will be shared
- Consumers have the right to stop businesses from selling their personal information to third parties.
- Consumers can request businesses delete the personal information that the business has on them.
- Businesses are prohibited from charging consumers who’ve exercised their privacy rights different prices or refusing service.
How Are ‘Consumer’ ‘Business’ and ‘Personal Data’ Defined?
- Consumer: As defined by the CCPA, a consumer is a natural person who is a resident of California, further defined in Section 17014 of Title 18
- Business: The bill includes lengthy definitions of business types and models. Key points include businesses in California that are for profit with revenues above $25 million, and those that collect personal consumer information and derive half or more of their annual revenues from selling this information.
- Personal Data or Information: Data containing information that “identifies, relates to, describes and is capable of being associated with, or could be reasonably be linked, directly or indirectly, with a particular consumer or household.” (CCPA 1798.140.o.1)
The identifiers referred to above include information such as real name, aliases, postal address, unique personal identifiers, online identifiers, IP addresses, email address, account names, social security number, driver’s license number, passport number, and so on.
Commercial information is part of this regulation as well, including personal property, products or services, and consumer histories and tendencies. Internet and online behavior, information about electronic network activity such as browsing and search histories, web site visits and online applications or interaction with advertisements are also included.
Going further into data that’s considered personal, the CCPA includes personal characteristics and behaviors in a variety of categories. These categories include Geolocation and profiling information regarding consumer preferences, psychological trends, behaviors, attitudes, abilities, intelligence and aptitudes. This data may also include household purchase data, family information (number of kids), financial information, sleep habits, and more.
What Should Companies Do to Prepare for CCPA?
The list of preparations may be long. Companies who have adequately prepared for the GDPR have a leg up. Many good guidelines are available for companies and the GDPR itself is a good guideline. Yet, similar to the months before the GDPR took effect, again, companies are slow to prepare. A 2018 PwC survey found that 64% of companies hadn’t begun to prepare for the regulations. Preparing for regulations like the CCPA can be fairly extensive and require considerable changes to existing systems and policies.
But prepared or not, compliance for all companies who meet the above criteria doing business in or with consumers in California is required by the January 1 deadline. Simply claiming ignorance or lack of understanding about your own companies' activities or related third parties' handling of personal information is not a shield. Companies are fully liable for the data they manage.
Getting into compliance involves many steps, including:
Assess your company’s current activities and status with regard to consumer data: It’s critical to identify current business policies and activities and determine if they could be in violation of the new law. Take steps to change those practices by January 1.
Ensure a good data collection, storage and management system: Because companies will be required to inform consumers when their data is being collected as well as provide a detailed report about that collected data when asked, it’s important to have a system that can support that requirement. These reports must be provided free of charge. The data needs to be stored per CCPA requirements and meet privacy requirements.
Provide clear communication: Companies must provide an easy-to-find online link on the appropriate Web page where consumers can specify they don’t want their information sold – ie, “Do Not Sell My Personal Information.”
Acquire qualified staff and educate them: Ensure staff is informed, trained and knowledgeable about the CCPA regulations.
Develop a reliable audit process: One of the requirements is being able to demonstrate conformance to auditors, vendors, data processors and others.
Implement a robust security system: This is not defined specifically in the CCPA but it is required in the GDPR and is imperative for ensuring data privacy.
Have a data breach response and notification plan: For example, the GDPR allows 72 hours for companies to notify the regulatory authority of a data breach. Not meeting this deadline results in a higher penalty.