What is the CCPA?
On June 28, 2018, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law. This unanimously-passed bill was designed to protect consumer privacy rights, much like Europe’s recent General Data Protection Regulation (GDPR).
When the CCPA goes into effect, consumers will gain new rights concerning the personal information that companies gather about them (such as their name, address, location, websites frequented, etc.). Some of these rights include, but are not limited to:
Protection from retribution. Companies are required to provide equal service and pricing to customers who exercise their privacy rights. This is to ensure that companies do not punitively treat customers differently (i.e. by raising prices) if they ask about their personal information.
Once the CCPA goes into effect, consumers will have the right to ask companies about any and all data collected about them. This request can be made, for free, twice annually. Companies will be required by law to share that information when requested, and consumers will have grounds on which to sue companies who refuse.
In comparison with current American privacy policy standards, the CCPA is much more aggressive and will require a significant amount of adapting and preparing for most businesses.
What is the purpose of the CCPA?
The CCPA defines how companies are allowed to use customer data, with the goal of protecting customer privacy. The CCPA also serves to define what falls under the category of personal information.
As defined in the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It can include a consumer’s age, the number of people in a household, phone numbers, past purchase history, job titles, etc.
Customers’ personal information will now be protected in ways unprecedented in America, putting consumers in more control of their data than ever before.
The CCPA will also affect service providers, which are companies that provide customers with access to the Internet. The CCPA requires that contracts between businesses and services providers disallow the providers from keeping or sharing any consumer data they receive. Customer data can only be used in ways specifically drawn out in the contract.
To whom does CCPA apply?
Any sole proprietorship, partnership, LLC, corporation, or organization that transacts in California and is involved with consumers’ personal data in any way must become CCPA compliant. Businesses that serve or employ California residents are also included. This includes online sales involving California residents.
Other states in the United States are introducing legislation much like the CCPA. If things continue down this path, someday all businesses in the United States may need to be CCPA compliant, similar to the GDPR in Europe.
It might not be a bad idea for companies throughout the United States to begin taking steps to become CCPA compliant. This would lay a foundation for privacy protection that would be valuable in two ways. First, if the business becomes subject to a similar law in the future, they would already be compliant, or near compliance. Second, people value their privacy and are getting more vocal in their demands to prevent the use of their personal information. By proactively taking a step forward to protect customer information, a business could reap the benefit of positive press and a boost to their corporate reputation.
When do I need to be CCPA compliant by?
Initially, the CCPA was supposed to go into effect on January 1, 2020. However, this compliance deadline was extended to July 1, 2020 in order to grant companies more time and limit enforcement by the attorney general.
Still, businesses should take steps to become CCPA compliant immediately, as the CCPA will require businesses to provide consumers with a 12-month look-back by July 1, 2020. This 12-month look-back means businesses must start their efforts by July 1, 2019 at the very latest in order to be compliant. Most businesses should start sooner, as compliance may take longer than expected to establish.
Businesses should also take into account the monetary cost of becoming compliant within this time frame, as projected costs of updating platforms for data inventorying and management vendors is estimated to be between $50,000 and $100,000 annually. Therefore, it is imperative that businesses consider the time and money it will take for them to become CCPA compliant as they enter their preparatory process.
