Last year, the EU implemented their sweeping update to their data privacy laws known as The General Data Protection Regulation (GDPR). This bill had massive effects on the way websites across the world collect, store, and use consumer data.

After the EU implemented the GDPR several other nations began to look at similar legislation to protect their citizens’ data. The US hasn’t drafted a national piece of legislation, but California is the first state to create new laws and issue an implementation date. Like the GDPR, the California Consumer Privacy Act (CCPA) is aimed at increasing transparency on how user data is collected and how it’s being used.

What Is the CCPA and What Does It Mean

The California Consumer Privacy Act (CCPA) is a newly signed bill that outlines the rights and increasing protections of consumer data for residents of California. The intentions of the Act are to provide California residents with the rights to:

  • Right to know: Companies must be able to provide consumers with what information they collect/hold, the purpose for which it was collected, where the company got that information, how the information is being used, and whether the information is being disclosed or sold and to whom.
  • Purpose limitation: Information may only be used for the company’s originally stated operational purposes.
  • Right to deletion: Consumers can request their data be deleted, unless the business requires the data be retained for legitimate business reasons.
  • Right to opt out: Consumer can request their personal information not be sold.
  • Right to be equal: Businesses must provide equal service and pricing to consumers.

With these new rights businesses will also need to ensure they inform users what data they are collecting and for what purpose at or before the point of data collection.

How it will affect businesses

For most businesses this will directly affect their website and how they conduct their marketing efforts. The CCPA isn’t limited to businesses in California but rather jurisdiction is based on the location of the user. All entities that do business in California will be subject to the new bill once it goes into effect come January 2020.

The CCPA also defines Personally Identifiable Information (PII) very broadly so simply collecting IP addresses or someones name without the user’s knowledge would violate the CCPA as it is currently written.

In addition to changes in data collection, the new California bill also details the responsibility placed on businesses housing private data and continues on to detail the ramifications for not adhering to the new legislation:

  • Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents.
  • Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief the court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it.
  • A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation.

What should your company be doing

As the deadline to become complaint approaches, there are a few key steps that all companies doing business in CA need to take:

  • Create and regularly update site-wide privacy policies
  • Install reasonable security measures and regularly maintain website updates
  • Implement procedures for handling consumer requests for restrictions and/or deletion of personal data
  • Ensure your vendors and 3rd party affiliates are in compliance with CCPA

The CCPA has several nuances that can make the bill hard for businesses to navigate. While California may be the first state to implement these laws, several other states are looking to draft similar bills in the future. Getting prepared now can help prevent timely losses in business or potentially hefty fines due to negligence.