The California Consumer Privacy Act (CCPA) was passed on June 28, 2018. The CCPA grants consumers the right to request businesses disclose the personal information, sources, and purposes businesses collect about consumers. It also enables consumers to learn what information is shared with and sold to third parties. The California legislature passed the bill in a relatively short period of time, largely because of an impending resolution that would have placed the issue on the ballot in the upcoming election on November 6, 2018. The CCPA is often compared to the European Union’s General Data Protection Regulation (GDPR), which took effect earlier this year. One major difference in the two laws is the GDPR has an opt in clause, while the CCPA has an opt out clause, which means companies doing business in the EU must give citizens the option of allowing personal information to be collected, whereas citizens in California must request businesses delete personal information. Regardless of the differences, these privacy laws are going to profoundly impact the way businesses handle information about consumers.
The clock is now ticking for the CCPA as the law takes effect on January 1, 2020. One of the lessons learned from the GDPR is once the ball drops on New Year’s Eve 2020, there will be advocates waiting to pounce on businesses that do no comply with the CCPA. The European Center For Digital Rights filed lawsuits against Google and Facebook (as well as Facebook subsidiaries: WhatsApp & Instagram) on the first day the GDPR became law. The potential fines could total 7€ Billion. NOYB Although the California law does not place a fine on businesses based on a percentage of total annual global revenue (like the GDPR) , it can fine a company up to $750 per incident, so a company with millions of customers could potentially face fines in the hundreds of millions of dollars.
The CCPA requires businesses to establish at least two communications methods (most likely website and telephone) for consumers to contact the company to request what personal information the company has about them and how to opt out. Interestingly, the law does not require a consumer to establish an account with the company before opting out. Therefore, even if a business does not have an account with a consumer, they are still responsible for protecting the privacy of citizens who are not customers. So, if a customer signs onto a company website to shop, but never buys anything and company collects personal information, they must comply with the CCPA.
The CCPA does give businesses some leeway in collecting personal information. After all, companies must collect personal information to conduct business transactions and maintain security. Businesses still have a need to collect consumer information for marketing and research. The CCPA allows businesses to collect and retain consumer data by pseudonymizing or de-identify personal information. In other words, privacy is maintained because the consumers’ data is not identifiable to a specific person. However, pseudonymization and de-identification must be a one-way process. This is a very important point, companies cannot have the ability to collect information, put it into an anonymizing database and then be able to reconstruct the personal information.
The CCPA presents new challenges for businesses to protect personal information. This law of course does not stop at the California border; it impacts commerce across the United States. Ascension Technical Group has experience in maintaining privacy and security for businesses and consumers and we would like to help your company prepare for the new privacy law standards that are long overdue.