The state's sweeping new data-privacy law is officially in effect. For now, enforcement is on hold, but there might be even stricter regulation to come
On January 1, 2020, the California Consumer Privacy Act, or CCPA, officially went into effect, which gives consumers far more control over their personal data. Businesses have been scrambling to figure out what it all means for them in terms of compliance. The good news is, they've been given some breathing room; the state won't start enforcing the law until July 1, 2020. California's Attorney General, Xavier Becerra, will use this period to finalize the draft regulations that will implement the broader goals as set out in the CCPA itself.
These regulations will establish the procedures that facilitate the new consumer data rights enumerated under the CCPA and provide guidance to businesses for how to comply. Here's an overview of the CCPA, how it might be enforced, and why—as is so often the case with The Golden State—it's not the end of the story.
WHAT'S IN THE CCPA ITSELF
The CCPA grants the following new data-privacy rights to California consumers:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- The right to delete personal information held by businesses and, by extension, a business’s service provider.
- The right to "opt-out" of the sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide "opt-in" consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under the CCPA.
Businesses are subject to the CCPA if one or more of the following are true:
- They have gross annual revenues in excess of $25 million.
- They buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices.
- They derive 50% or more of their annual revenue from the selling of consumers’ personal information.
- Businesses that handle the personal information of more than four million consumers will have additional obligations (as proposed by the AG's draft regulations).
New business obligations under the CCPA are currently as follows:
- Businesses subject to the CCPA must provide notice to consumers at or before the point of data collection.
- Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete.
- For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
WHAT'S IN THE AG'S DRAFT REGULATIONS & NEXT STEPS
New business obligations under the CCPA as proposed:
- Businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
- If a business is unable to verify a request, it may deny the request, but must comply to the greatest extent that it can.
- Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information.
- Businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
- Businesses that collect, buy, or sell the personal information of more than four million consumers have additional recordkeeping and training obligations.
There was a 45-day time period for public comment on these draft regulations, which ended December 6, 2019. The AG's office held seven public forums around the state and received and reviewed over 300 written comments. More changes could result from these comments. The public will be given at least 16 days to comment on any changes to the AG's draft regulations. This process will presumably be finalized by July 1 of this year, when the AG can officially start enforcing the CCPA.
THE MOTHER OF ALL DATA-PRIVACY LAWS
Europe's General Data Protection Rule, or GDPR, is viewed as the CCPA's birthmother, and rightfully so. The GDPR is the first consumer data-privacy law of its kind in the world, and California no doubt took many cues from it in the drafting of the CCPA. If you've already prepared for GDPR, you've probably gone a long way towards being ready for the CCPA, though the AG's office is quick to point out that "the CCPA and the EU's GDPR are separate legal frameworks with different scopes, definitions, and requirements," and that "a business that complies with GDPR and is subject to CCPA may have additional obligations under CCPA." The AG's office goes on to list some critical differences between the two laws:
- Under GDPR, companies must undertake a data inventory and mapping of data flows in furtherance of creating records to demonstrate compliance. Additional data mapping may be important to reflect the different requirements under CCPA.
- Under GDPR, companies must develop processes and/or systems to respond to individual requests for access to personal information and for erasure of personal information. These processes and/or systems may be applied to handling CCPA consumer requests, although businesses may need to review and reconcile the different definitions of personal information and applicable rules on verification of consumer requests.
- Under GDPR, companies must draft and execute written contracts with its service providers,e., processors. Companies may need to review these contracts to reflect requirements under CCPA.
FINES AND ESTIMATED COMPLIANCE COSTS OF THE CCPA
- It's estimated the CCPA will protect over $12 billion worth of personal information that's used for advertising in California each year.
- Preliminary estimates suggest a grand total of $467 million to $1.6 billion in costs to comply with the CCPA draft regulations.
- A business will be in violation of the CCPA if it fails to address any alleged violation within 30 days after being notified of alleged noncompliance.
- Such businesses will be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.
- The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
STATE OF RESTLESSNESS
A new data-privacy bill will be on this year's California ballot: the California Privacy Rights Act, or CPRA. It was proposed by San Francisco real estate developer Alistair Mactaggart—the man you could say is responsible for the CCPA. Mactaggart believes that, since the CCPA's passage, "some of the world’s largest companies have actively and explicitly prioritized weakening [it]," and that "technological tools have [since] evolved in ways that exploit a consumer’s data with potentially dangerous consequences." The CPRA, would, among other things:
- Create new rights around the use and sale of sensitive personal information, such as health and financial information, sexual orientation, and race.
- Let consumers tell companies not to track them closer than a circle almost three-quarters of a mile across, for the purposes of targeting them with ads.
- Provide enhanced protection for violations of children’s privacy by tripling CCPA’s fines for breaking the law governing the sale of children’s private information.
- Require transparency around automated decision-making and profiling, so consumers can know how algorithms are evaluating them in numerous ways.
- Establish a new authority to protect these rights, the California Privacy Protection Agency, which would enforce the law and provide necessary guidance to industry and consumers.
For now, though, businesses are busy enough wrapping their heads around the CCPA. But Star will keep you up to speed as we get closer to the July 1 CCPA enforcement date and the November vote on CPRA.