How California’s Consumer Privacy Act Affects Your Business

What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA) is a California state law that protects the following California consumer rights:

• Right to know all data collected on them, including what categories of data and why it is being acquired, before it is collected, and any changes to its collection
• Right to refuse the sale of their information
• Right to request deletion of their data (with limited exceptions)
• Mandated right to opt in before the sale of information of children under 16
• Right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired
• Enforcement by the attorney general of the state of California
• Private right of action should certain data breaches occur, to ensure companies keep their information safe

Businesses have 45 days to respond to consumer requests, though this time frame is just 15 days for opt-out requests. Any damages that occur due to a qualifying data breach are limited to $750 per consumer per incident.

The CCPA, before it was in amendment with Assembly Bill 375, originally had more stringent regulations that might have nearly paralyzed the tech industry, which has thrived in California’s Silicon Valley. But the official CCPA allows businesses a 30-day window to amend any violations as long as they can prove they have been amended and that no more will occur. Otherwise, violators might face a penalty of up to $7,500 per intentional violation.

How does the CCPA impact businesses?

All businesses with gross annual revenue in excess of $25 million must comply with the CCPA. So too must all businesses that earn at least 50 percent of their revenue from the sale of California residents’ data. A third qualifying class of businesses exists: any that buy, sell or share data obtained from at least 100,000 California residents, devices or households. These criteria apply to all businesses that collect or sell personal information from consumers in California, regardless of where the company itself is located. Businesses inside California are as affected as out-of-state entities.

The University of Berkeley’s Center for Long-Term Cybersecurity has pointed to the following CCPA business impacts as the most important:

• Less reliance on data-intensive processes: For example, in response to the CCPA, behavioral retargeting is becoming less common among businesses that work with California residents’ data. Instead, a renewed focus on peer accountability has emerged.
• Confusing opt-out tools: The requirement to educate website visitors on cookie usage and allow them to opt out has led many businesses to rush into creating cookie opt-out banners. The result is unclear banners that aren’t user-friendly either. These may leave consumers flustered instead of confident that you’re protecting their data. It may also leave businesses noncompliant and consumer privacy unguarded.
• Data infrastructure challenges: It can be quite costly for businesses to adhere to CCPA requirements. This can place obstacles in front of smaller businesses that qualify based on the CCPA 50 percent rule. These businesses may lack the money to fund the required resources for data mapping, inventory and retention, resulting in noncompliance.

Why should your businesses address CCPA requirements?

While the CCPA technically might not cover your business, this doesn’t mean you shouldn’t prepare.

“The CCPA provides small businesses with incentive and motivation to [think] about the personal data processed and protected within their business environment,” said Matt Dumiak, director of privacy services at CompliancePoint. “Most organizations feel resource-constrained, and small businesses are no different, if not more so.”

“California’s law [raises] the bar significantly, and this won’t be the last time it’s raised as states seek to emulate the GDPR,” added Robert Cattanach, a partner at Dorsey & Whitney who helps clients navigate regulatory law. “This [law] is likely to increase litigation as more consumer rights are created and expanded.”

The lack of awareness could lead to a lack of compliance, which could expose businesses to significant financial penalties.

“It’s clear that businesses are confused about this regulation; they do not know whether they are subject to the law and what they need to do to become compliant,” said Tony Anscombe, chief security evangelist at ESET. “Businesses should particularly focus on the ‘reasonable security’ aspect of the law by ensuring they have stringent processes and practices in place, including strong endpoint protection and encryption, throughout their organization.”

How will the CCPA shape the future of data regulation?

While California is just one state, its regulations are spreading awareness and encouraging like-minded individuals to speak up and take action. Businesses should expect similar laws to be passed across the country in the next few years. In fact, Nevada, Colorado, and Virginia have all passed similar laws.

“Congress will feel pressure from both pro-privacy advocates to endorse the rights created by California, and businesses to try to bring uniformity to what is increasingly a dynamically evolving policy area,” said Cattanach. “The bottom line is that this leverages on the concepts contained in GDPR and is certain to be picked up as the standard by other states.”

How can your business immediately comply with the CCPA?

Dumiak recommended reviewing the following business areas for CCPA compliance:

• Information security posture
• Personal data processing
• Honoring of access requests
• Other applicable rights or requirements

“Further, the fines and privacy right of action, while having an impact on any organization, will arguably be a larger percentage of their revenue and more impactful on business operations and revenue,” said Dumiak. “While many see regulation as a headache, this regulation is a terrific opportunity for organizations, small and large, to get much-needed resource help in the security and business operations space.”

If your small business hasn’t already hired a data processing consultant to make sure your company is compliant with GDPR, now may be the time to investigate such a professional. You may want to look for someone who is certified by the International Association of Privacy Professionals (IAPP). It is the largest and most comprehensive global information privacy community, with 40,000 members.

Data privacy regulations are here to stay

The CCPA covers any business, in any location, that processes California consumer data. Other states’ data laws, which are almost certain to be passed into law in the coming months and years, will be similarly expansive. This means it’s always a good time for your business to devote resources to data best practices. With a qualified consultant in your realm, you can check all the required boxes while focusing on business proper. This way, you stay in good graces with the law – and your customers too.