CCPA Is Coming! Are You Ready?
“The elephant in the room is not the problem, never. It is the people that ignore it.”
Let’s go back to 25th May 2018 when the General Data Protection Regulation or GDPR as it is most commonly known was implemented.
Remember how you were finding new ways to deal with the elephant in the room by preparing a project plan to implement it, defining your company’s personal data policy and framework, performing data processing impact assessments, amending third-party contracts and so on?
One small mistake could end up in your company shelling out €20 million!
Well, guess what?
History just repeated itself.
The California Consumer Privacy Act or CCPA is here. And it is here to stay.
So what is CCPA all about? What changes do you need to do as a company to implement it successfully?
We’re here to elucidate all that and much more in our blog. Without further ado, let us hop on the CCPA bus to know more.
Before we begin to tell you what CCPA is,
Let’s first talk about how it came into being
It is easy to assume that this data privacy act came into being due to California being the center of the internet, where both Facebook and Google came alive. While this fact did have a role to play, it wasn’t the primary influencer. Let’s start with the story behind CCPA.
There was a wealthy Californian named Alastair Mactaggart. One day he invited his friends over for dinner. As the evening progressed, he asked one of them—a software developer at Google, if he was worried about things that the search engine knew about him.
The answer wasn’t what he expected. He said there was plenty to be worried about and the public would flip out if they had even the slightest idea about the information Google had on them.
That was all the awakening that Mactaggart needed. He began reading about data mining. He discovered that there was absolutely NO LIMIT on the information companies could collect about him. They knew his shoe size, how much money he made, whether he was looking to buy a new car, or if he wanted to buy sports shoes.
What’s more, companies were collecting data and further selling it. Alastair knew it was time to do something.
The Ballot Initiative
His research on privacy had a huge impact on him. “It’s like that Buddhist thing, where you walk past a mess and a mop and say, ‘Someone ought to clean up that mess,’ ” he says. “And eventually you realize you have to pick up the mop.”
After batting around ideas with his friend, a finance executive, they came up with the idea of gathering signatures for a statewide ballot initiative.
Mactaggart was skeptical to propose a law on the same lines as GDPR, fearing that the public might find it baffling and reject it.
After a lot of skepticism by state lawmakers, the legislation of CCPA was unanimously passed on June 2018!
Now that the cat is out of the bag, arises the main question.
What is CCPA?
CCPA is a personal data protection law passed by the state of California. It gives any Californian consumer the right to see all information a company has saved on them, as well as the entire list of third-party companies that their data is shared with.
Additionally, the law further allows consumers to sue companies, in case of any privacy guidelines being violated or in case of a breach.
Who does the law affect?
If you thought the law only affects companies based in California, you’re unfortunately mistaken. In fact, it affects you even if your company isn’t based in the USA.
CCPA impacts all companies that serve/work for Californian residents and meet at least one or more of the following criteria:
- Gross revenue of more than $25M, annually
- Processing information of more than 50,000 households, consumers, or devices
- Derive 50% or more of their annual revenue from selling California consumers’ personal information
When will the law be enforced?
CCPA is expected to come into effect after the 1st of January, 2020. However, it is also important to remember that the law is meant to complement the current personal data protection laws, not to replace it.
Additionally, this data privacy law grants a number of rights to the consumer. Such as:
1. Right to Request Information
(Section # 1798.100, 1798.115)
2. Right to Portability
(Section # 1798.130(2))
3. Right of Deletion of Personal Information
(Section # 1798.105)
4. Right to Opt-Out
(Section # 1798.120 1798.135)
What is the penalty for non-compliance?
Come 2020, companies will have 30 days to conform to the law once they are notified of a violation. Failing to do so can end up in penalties between $2500 to $7500 per violation, imposed by the California Attorney General. For instance, if you violate the right of 1000 users, you might receive a fine up to $7,500,000! ($7500 x 1000 users)
How do I prepare myself for the age of privacy?
Conforming to GDPR will not make you CCPA compliant by default. For starters, CCPA does not have a concept of data processer vs data controller like in GDPR.
While you will have to take a lot of steps to properly comply with the law, start with –
- Conducting an internal audit to ascertain the type of personal information that your company is collecting
- Determining how this information is being used, whether it is further being sold to other companies at an extra cost
- Deleting consumer information that isn’t required
- Training your employees to understand the concept of CCPA and defining their responsibility in handling consumer’s personal information
- Preparing documents on how to handle a data breach
The idea of the data privacy act is for consumers to feel secure about how their data is collected and used by any company they choose to work with. The faster you prepare yourself to be compliant of the law, the better it is for your company. Because it is time to wake up and smell the legislation.
Want to learn more about CCPA? Contact us.