Blog

Private Property Please Keep Out: California’s Sets Privacy Act (CCPA) at an All-Time High

September 19, 2019  /  by  Cassie Shukitis

By ‘private property’ we mean data… and a lot of it. If you haven’t heard about California’s new privacy act, you need to crawl out of that hole you’ve been in for the past couple of months ASAP. The California Consumer Privacy Act (CCPA) will go into effect in January 2020. The CCPA will change the way consumer data is stored and handled.

No other states, or Congress, have ever attempted such an ambitious privacy law to date. This law will force companies to reveal what data they collect. But wait! There’s more. It gives users the right to delete their collected data and prevent its future sale. The act is specifically aimed at California’s biggest technology firms (i.e. Google, Amazon, and Facebook).

More than just tech giants should be afraid

These laws apply to all ‘for profit’ businesses that buy and sell consumers’ information. Any business with a presence in California (online or physical) will be subjected to this law if they meet any of the following:

  • Generate annual gross revenue greater than $25,000,000
  • Receive or share personal information of greater than 50,000 California residents annually
  • Derive at least 50% of annual revenue by the sale of personal information of California residents

This law should encourage every company to be proactive and start taking steps to protect consumer data. Experts predict that other states will follow suit and begin implementing stricter privacy laws in the upcoming years. At least 9 other states have started considering their own version of the CCPA. It’s time to buckle up buttercup and start preparing for these privacy laws.

What does CCPA entail?

The general message of the CCPA states that when a business collects personal data, it must be disclosed in an accessible privacy policy published on the business’s website. If a customer wants to know what data these businesses have collected, the business is required to provide the customer with that information. If the customer requests their data be deleted, the business must comply. There are some exceptions to the rule. The information doesn’t have to be removed if the customer’s information is needed to complete a transaction. Consumer data can also be saved if it is needed to detect security, fraud, illegal activity, etc.

The CCPA is more involved than storage and policy disclosures. Under the new law, all businesses will be required to provide equal service and pricing, even if the customer exercises their privacy rights. Businesses using their own audience segments (i.e. for advertising or retargeting) must disclose the requirements for the original collection of data. The law requires businesses to post “Do Not Sell” buttons on websites that use audience segments for more transparent data collections. All companies will have to explain their policies when it comes to handling user data, state consumer rights, and list the categories of personal information collected.

There may be cracks in the foundation of the CCPA

California’s Attorney General’s Office will be responsible for enforcing the laws. Attorney General, Xavier Becerra, is concerned about having enough staff to carry out the job. The complexities of the law could make it difficult to enforce, meaning the CCPA might get in its own way.

There are concerns beyond Becerra’s statements. There is a lack of clarity in the laws. No guidance is provided on how to verify consumer requests. There are no details on the consequences of violating the new laws. Arrests, fines, and lawsuits are all possibilities. This is yet to be determined.

The eleventh hour.

Becerra and privacy advocates are attempting to add a provision allowing consumers the right to sue if their demand for data deletion is not carried out. The California Chamber of Commerce disagrees with this proposal. There are concerns over the possibilities of bankrupting small businesses and impacting unemployment rates.

The constant requests for alterations have made it difficult to finalize the bill. This will need to be an expedited process. The final bill needs to be ready for presentation in September to be passed by both houses of the state legislature.

The CCPA is going to disrupt how people and businesses handle data even beyond California state lines. If CCPA is successful, other states will begin proposing their own iterations of the privacy act sooner rather than later. The perceived threat of stringent privacy laws has everyone’s heads spinning. Privacy laws are common, but the CCPA is in a league of its own. Are you concerned about how this new law will affect your business? Roger West can help. Our team is committed to staying abreast of new and changing privacy policies. Secure your privacy compliance with us.