On January 1st of this year, the California Consumer Privacy Act (CCPA) went into effect. It’s the first major comprehensive privacy legislation to be passed in the U.S. for over two decades.
The landmark act gives California consumers control over their online personal information and how a company uses it. More specifically, the CCPA supports California residents with their right to access and review their personal information, as well as know:
- What personal information about them is being collected, used, shared, or sold;
- Whether their personal information is being sold and to whom; and
- How to opt-out of the sale of their personal information.
Additionally, the CCPA grants California consumers the ability to ask companies to delete all of their collected personal data and sue those companies if the privacy guidelines were violated.
If notified of a violation, companies have 30 days to comply with the CCPA regulations, with fines up to $7,500 per consumer record if not resolved. Large tech companies, such as Facebook and Google, have already been hit with billion-dollar lawsuits over violations of the European Union’s General Data Protection Regulation (GDPR), a data privacy law that compares similarly to the CCPA.
Smaller companies, however, do not have that kind of money, leaving them vulnerable to the new legislation. To help your business prepare for the CCPA and avoid unnecessary lawsuits, we have compiled a list of the biggest myths that have been circulating the new law.
Myth #1: Your Business Is NOT Affected Because It’s Not Based in California
Currently, the CCPA affects businesses that meet one of the following criteria:
- Gross annual revenue of over $25M;
- Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; and/or
- Derive 50% or more of annual revenues from selling consumers’ personal information.
Some companies meet this criterion but believe they are not affected by the privacy law because they are not based in California; however, this is not true. Companies do not need to be based in California, have a physical presence in the state, or even be in the U.S. to be affected by the new law. If they meet the criterion above and serve California residents, they must comply with the CCPA regulations.
Myth #2: GDPR Compliance Guarantees CCPA Compliance
This may come as a surprise, but GDPR compliance does not mean your company is compliant with the CCPA. The biggest difference between the two is that the new privacy law definition of personal data is more expansive than GDPR’s definition. This may drastically impact the data mapping efforts your business implemented to receive GDPR compliance, and additional efforts may need to be taken to comply with the CCPA.
Myth #3: The Information Your Business Has Is Not “Personal Information”
Compared to GDPR, the CCPA has a broader description of the type of personal information considered sensitive. According to the CCPA, personal information can be described as:
- Identifiers (name, postal address, IP address, email address, account name, social security number, driver’s license number, etc.);
- Characteristics of protected classification under California or federal law;
- Commercial information (personal property records, products or services purchased, purchasing history and tendencies, etc.);
- Biometric information;
- Geolocation data;
- Professional or employment-related information;
- Education information; and/or
- Audio, electronic, visual, or thermal information.
Basically, if you’re collecting a person’s data online marketing, advertising or other digital initiatives, you more than likely have collected at least one type of personal information. But don’t worry, this isn’t the issue.
The real problem is when a consumer requests a record of their personal information collected by your company. A company has 45 days after the request to provide a comprehensive report of all personal information records. This can be challenging for most companies, as identifying and compiling all data records can be extremely time-consuming.
A good strategy to avoid this problem is to gather less data. Many companies don’t know what personal data they’re collecting, so it may be beneficial to look into the type of information you’re collecting from your customers and assess which areas are unnecessary. This will help your business avoid any legal trouble, as well as potentially create an opportunity to differentiate yourself by showcasing the type of solid privacy protection practices your company employs.
Myth #4: Being Quick to Change Your Policies Is the Best Plan of Action
Though it’s usually better to get things done promptly, the CCPA is the exception to this rule. Data privacy is relatively new to legislation and will continue to be an ongoing process. This means that the current regulations will most likely change in the coming years, so you don’t want to spend so much time and energy into updating all of your policies, only for them to be updated again within a short period.
The best approach to complying with the CCPA is to audit your practices and determine where you stand with personal data and how it is collected, stored, handled, and disclosed. From here, you should be in a good position to identify the next steps in updating your policies. However, it’s worth noting that once these policies are updated, you should revisit them regularly to ensure compliance with the CCPA and avoid any legal actions against your company.
The CCPA has been in effect for only a few months but has already sparked plenty of questions and concerns among businesses and privacy advocates. This is just the start of a trend of increased regulations around consumer privacy, as other states are drafting up their own privacy laws. For now, your company should focus on complying with the CCPA and developing a strategy to handle consumer requests for their personal information records.