Many suspected – and rightly so – that the California Consumer Protection Act was too messy to go forward as originally proposed, but now the changes are locked in. Russ Berland discusses the most recent amendments.
On January 1, 2020, a new privacy regime will commence in the U.S. The California Consumer Protection Act (CCPA), which has stricter standards than even the EU’s General Data Protection Regulation (GDPR), will go into effect and every business that deals with California consumers should be ready.
So, are we? According to privacy solution provider PossibleNow’s recent August survey, over half (56 percent) of companies to which the law will apply will not be ready. And as of PossibleNow’s July survey, only 8 percent of those companies reported being ready to comply with the CCPA at that time. Among the key reasons for anticipated noncompliance cited by survey participants were not knowing what the CCPA will require and how it will be enforced.
The initial drafting and passage of the CCPA last year was rushed and somewhat messy, and some ambiguities were left in the original statute. Privacy experts generally assumed that the law would be amended to clean it up, but the content of those changes has not been known until now. But now, the California legislature has passed six amendments which will alter the CCPA prior to its effective date. The California legislature finished its session on September 13 and cannot make any further changes until after the CCPA becomes effective on January 1.
So, assuming that the bills will all be signed by the governor, we now know the actual requirements of the CCPA on January 1. The California Attorney General is expected to issue regulations on the CCPA in the next month, but those regulations may not impact the law’s substance, which is set – for now.
On January 1, businesses need to be prepared for every California consumer to get five rights over their personal information, which have not generally been enjoyed elsewhere in the U.S. These are:
- The right to request disclosure of your business’ data collection and sales practices affecting that consumer, which include:
- the categories of personal information you have collected about them;
- the source of the information;
- your use of the information; and
- if their information was disclosed or sold to third parties, the categories of personal information disclosed or sold to third parties and the categories of third parties to whom such information was disclosed or sold.
- The right to request a copy of the specific personal information collected about them.
- The right to have that information deleted (subject to some exceptions).
- The right to request that their personal information not be sold to third parties, if applicable.
- The right not to be discriminated against because they exercised any of the new rights. However, now, under certain circumstances, a business may charge more to consumers who opt out of having their information used or sold.
With the new amendments, there are some changes and uncertainties from the original version of the CCPA that will be removed or clarified once the governor makes them official. These include:
- A toll-free number is no longer required for a consumer to exercise their rights, but a business may provide an email address instead.
- Employees do not get privacy rights under the CCPA to exercise against their employers – until that exemption sunsets on January 1, 2021.
- Certain information about vehicle warranties or recalls is exempt from opt-out rights.
- Personal information does not include information that is de-identified or aggregated from a population of consumers.
- When a consumer attempts to exercise their rights, businesses now have the authority to “require authentication of the consumer that is reasonable in light of the nature of the personal information requested.”
The CCPA applies to any business that collects personal information from California consumers and has $25 million or more in revenue; derives over half of its revenue from buying, selling, receiving or sharing personal information of consumers; or collects the information of 50,000 or more California consumers. Consumers are defined as residents of California under the state tax code.
In order to comply with the CCPA, businesses should:
- Update their privacy notices and policies now and annually for reflect CCPA requirements;
- Add a “Do Not Sell my Data” button to their homepage;
- Retrain their pertinent employees on the new compliance requirements of the CCPA;
- Implement systems to comply with their new privacy notices and policies and to authenticate and follow-up on legitimate consumer requests under the CCPA; and
- Audit their systems to ensure they can and do comply with their own privacy notices and policies and with the consumer rights provided by the CCPA.
For those 58 percent of companies that will not be ready for the CCPA, there is a potential $2,500 fine for every unintentional violation and $7,500 for every intentional violation. As an example, an unintentional violation affecting 10,000 California consumers could cost $25 million in fines, while an intentional violation could cost $75 million. The maximum fines are not capped and could be potentially much, much greater than those under the EU’s GDPR, which are capped at 4 percent of annual revenue.
The uncertainty about what the CCPA will require on January 1 is almost gone (depending on what the Governor of California does in the next few weeks). With this information, we have a good sense of what we need to do to comply with the CCPA and the possible fines we might face if we fail to do so. January 1 is less than four months away. Perhaps it is finally time to take action to prepare for the CCPA during this final, final countdown.
(Cue the 1986 song “The Final Countdown” song by the band Europe in fade.)