Does your company collect data on California residents in your CRM or other databases and/or do you remarket to California residents with digital advertisements? If yes, you may be in violation of the California Consumer Privacy Act (CCPA) that’s about to go into effect starting January of 2020. Similar to the GDPR that went into effect in the spring of 2018, the CCPA will require companies who do not wish to pay massive consumer privacy act fines to adjust what information they store on prospective customers and how they are communicating to website browsers and customers the information they have stored on / are actively collecting from them. Read on to learn how to protect your company.
Companies that must comply with CCPA
The CCPA is a bit looser than the GDPR as it specifies the following qualifications for companies who must comply:
- Companies who serve California residents that have at least $25 million in annual revenue
- Companies who serve California residents that collect personal data on at least 50,000 people (CA residents or not)
- Companies who serve California residents that collect more than half of their revenues from selling personal data
Companies do not have to have a physical presence in California or even be based in the US to be subject to the CCPA.
Data the CCPA Covers
While the GDPR covers far more people in its consumer privacy act, the CCPA takes a much broader approach to the type of data that it qualifies as sensitive. Part of the CCPA that will go into effect in January 2020, the AB-375 dictates the following as personal information:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing the history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences are drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
How to comply with the CCPA
The CCPA requires companies to be transparent with users about how they’re collecting, sharing, and using personal data. This includes notifications to alert web browsers that their activity is being cookied and how companies will use personal data collected in forms on their website.
Companies that sell customer data to third parties must allow consumers to choose to not have their data shared with said parties. But, they are allowed to offer consumers special incentives to allow the sharing of their data.
AB-375 also allows consumers much greater access to their personal data that companies have on file. Once a consumer requests their data, the company has 45 days to provide them with a comprehensive report on what’s stored and how exactly it has been used over the past 12 months. This could be extremely problematic to large enterprise companies that store massive amounts of data across multiple storage platforms.
CCPA violation penalties
Companies in violation of the CCPA have just 30 days to comply once regulators notify them of the violation. If the issue isn’t resolved in time, they will be hit with a $7,500 fine, per record in violation.
Take this news as your call to action
If your company has not already prepared for CCPA, you need to start getting together your gameplan or else put yourself at risk for fines in the hundreds of thousands of dollars. With an enforcement date of January 2020, the clock is ticking. See below for a comparison of GDPR and CCPA rules provided by PwC:
Chart Provided By : PWC (www.pwc.com)