The California Consumer Privacy Act Explained
Hi, I’m Simeon, and I’m going to be your tour guide today through the California Consumer Privacy Act (CCPA). If you are a regular reader, you probably know that OWI hosts the KNOW Identity Conference (make sure to join us April 5th-8th at the MGM Grand in Las Vegas!). Last week, an events team member asked if we had any new marketing obligations under the upcoming CCPA. Having questions pop-up so close to home, I figured it was time to do a full deep-dive on what everyone should know about the CCPA.
The CCPA goes into effect on January 1st, 2020. Covered entities include for-profit businesses operating in California that (1) collect the California citizens’ data and (2) determine the purpose and means of their personal data. Covered people include California residents that are residing both inside and outside of the state. The deadline is quickly approaching and there are still many questions left unanswered. Make sure you get involved in the conversation as soon as you can if you haven’t already.
The Background on Privacy Legislation
In 2016, the EU passed the General Data Protection Regulation (GDPR) to address the lack of oversight to secure and protect the personal data of its customers. We have written many articles diving into the nitty-gritty on GDPR, for more helpful information check out here!
GDPR shook the entire business community. Professionals scrambled to understand what this new regulation meant for their business and what they would have to do to be compliant. Even a year after GDPR rolled out, many companies are grappling with compliance. Yet, GDPR has become a blueprint on what a comprehensive data privacy law should look like.
In the next few years, many countries took the initiative in joining the EU with more robust data protection mandates. The U.S. has failed to pass a federal law but California wasn’t to be discouraged. In 2018, the state of California, also arguably the tech capital of the world, passed the CCPA, and here is what you need to know.
Covered Entities Under CCPA
CCPA’s scope and territorial reach is more limited the GDPR. The extent of the Act is restricted to two main categories.
The first applies to for-profit businesses operating in California. A business must collect a California citizens’ data and determine the purpose and means of their personal data, meaning that they slice and dice it for commercial purposes. Additionally, the law has specific qualifications for these businesses. They must:
- Have at least $25 million in annual gross revenue
- Buy/sell or received the personal information of at least 50,000 California consumers, households or devices annually
- 50 percent of your annual revenue comes from selling California consumers’ personal data
The second category encompasses entities that control, or is controlled by, an entity that meets the first set of criteria or shares common branding with the parent entity. This makes the CCPA targeted as companies are in the personal data business.
Who does the CCPA protect?
CCPA protections are restricted to “Californian Consumers,” defined in Section 17104 of Title 18 of the California Code of Regulations as of 9/1/2017. At the time, California residents were defined as “every individual who is in the State for other than a temporary period and/or domiciled in California but are currently outside the State for a temporary or transitory purpose.”
The second part of the definition drastically increases the responsibility in identifying California Consumers, but the intent is to protect the people of California.
What data is covered under the CCPA?
The CCPA restricts purview to personal information (PI). PI is defined as “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” For more details and nuances, you’re welcome to check out Section 9 subsection (o) of the bill.
What important CCPA dates do I need to know?
The CCPA was approved by the Governor of California on September 12th, 2018. The bill is set to go into effect on January 1st, 2020. The attorney general announced it will take six months to clarify areas of confusion and outstanding issues before it will begin enforcement. However, don’t let yourself fall asleep at the wheel, the state retains the right to retroactively prosecute violations from this time period.
Fines and Penalty Structure
Under the CCPA, covered entities must be notified of an issue and have 30 days to “cure” the allegation of noncompliance. There is no definition of “cure” in the current bill. However, the statue notes “Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.” Good luck Xavier Becerra!
If the covered entity fails to provide a cure, they will be subject to a civil injunction and liable for more than $2,500 per violation and $7,500 if the violation is proven to be intentional. There is no ceiling for CCPA violations, unlike GDPR which places a 4% of global annual revenue for regulatory enforcement,
Individuals who are directly impacted by the violation can seek to recover damages between $100- $750 “per consumer per incident or actual damages whichever is greater.”
How are companies responding to CCPA?
Entering into Q4 of 2019, the CCPA is clearly top of mind for many business executives. A recent PwC survey saw 86 percent of respondents from across industries noted CCPA compliance is one of their top business priorities.
One interesting area of development is “Deidentified and aggregated data.” The CCPA addresses the topics of deidentification, pseudonymization, and the aggregation of data, but it arguably fails to provide comprehensive definitions for each or clearly define their relationship. The overall consensus from the International Association of Privacy Professionals, is that under the current statute, deidentification and pseudonymization offers very little practical advantages and does not elevate business obligations in any meaningful way.
There is, however, an explicit carve-out for “research,” defined as “ scientific, systematic study . . . conducted in the public interest in the area of public health” (§ 1798.140(s)). The intent here is to not impact government research focused on utilities, transportation, health efforts, etc.
The lack of clarity makes the use of the techniques, outside of research, riskier than it should be. Hopefully, this is an area of the regulation the Attorney General plans on publishing additional guidance on after the six month period.
The Tipping Point
Companies have come to us and asked, “At what point do I make the practices required under the CCPA defacto for all of our customers?” That is a difficult question. Our responses are obviously more informed by the unique context of our audience but my general feedback is, this is not going away. Enhanced consumer data privacy regulations are here to stay. Whether it be EU, Canada, Israel, Brazil, countries around the world are taking steps to protect their consumers. If you are a global brand, it is in your best interest to make these policies standard practices.
For more information or assistance with CCPA, feel free to reach out to email@example.com