The California Consumer Privacy Act (CCPA), signed into law June 2018 and effective January 1, 2020, will impact more than California consumers as the name suggests. The law, designed to protect consumer data in the internet age, ensures that California residents have the right to know and access what personal data a business has collected, to know if—and to whom—it is being sold or shared, to deny the sharing of the information, and to delete the personal information held by the business. The law also ensures that consumers will receive the same pricing and service from a business regardless of whether they exercise these rights. Moreover, business-to-business data will be subject to the law beginning January 2021. According to an economic impact assessment for the California Attorney General’s office, the law could cost companies up to $55 billion in compliance costs. Businesses and procurement departments across the country should begin preparing now to ensure that their operations are compliant.
How does the CCPA affect businesses outside California?
All for-profit businesses that operate in California and collect consumers’ personal information must comply with the CCPA if they meet at least one of the following criteria:
- Has annual gross revenue in excess of $25 million
- Buys, receives, or sells the personal information of 50,000 or more California consumers, households or devices
- Derives 50% or more of annual revenue from selling consumers’ personal information
It doesn’t end there. The CCPA also applies to businesses that control or are controlled by an entity that meets the criteria if they share common branding. Moreover, businesses that operate a website in which California residents are able to provide their personal information are subject to the CCPA even if they lack a physical presence in the state.
With California’s population of nearly 40 million people (or about 12% of the total US population), very few businesses escape these thresholds. The result is a massive number of liable companies, many of which are unprepared for the looming regulation.
What does the CCPA require?
The CCPA imposes many new requirements on businesses subject to the law. With rare exceptions, the primary business obligations are as follows:
- Businesses must notify consumers at or before data collection.
- Businesses must create procedures for responding to consumer requests to know, delete and opt-out of data sharing, and these requests must be addressed within specific timeframes.
- Businesses must, at a minimum, establish a toll-free phone number for submitting data requests.
- Businesses must provide a link on the homepage of their website titled “Do Not Sell My Personal Information,” enabling consumers to opt-out of the sale of their personal information.
What happens if I don’t comply?
Noncompliance will get very expensive, very quickly. If businesses aren’t in compliance by January 1, California residents and the State Attorney General can sue any business that violates their rights under this law for damages of up to $750 per consumer per data breach. On top of legal costs, fines may be assessed for violations of the CCPA. Businesses are subject to a fine of up to $2,500 per unintentional violation, while intentional violations can reach $7,500 per incident. To avoid costly fees and litigation, impacted businesses should implement compliance measures as soon as possible.
How do I comply with the CCPA?
Fortunately for businesses, there are many resources to assist in adapting current policies and procedures to the new regulation.
- Web and Enterprise Content Management Systems
Businesses should begin by assessing their current web and enterprise content management systems. The ideal solution will offer features that carefully track website user data and consent, as well as any third parties that the information is shared with. A management system that readily maintains thorough records in a central place will enable businesses to quickly respond to requests for information and deletion. If the current provider does not offer this functionality, businesses may benefit from switching suppliers sooner than later.
- Website Design Services
Businesses will be required to update their online privacy policies and homepages to include a “Do Not Sell My Personal Information” link or tab. Website design services can assist in compliance.
- Risk Management and IT Consulting
If the prospect of developing and managing a new data strategy in-house seems overwhelming, risk management and IT consultants can help. These providers can quickly get businesses up to speed and implement industry best practices to limit disruption and downtime. For large businesses or those with data spread out across many systems, partners or clients, working with a consultant may help to speed up the process and ensure that all regulatory boxes are checked.
All businesses, regardless of whether the CCPA impacts them, should assess their current data collection, sales and storage processes. While the CCPA is currently one of the most talked about data privacy shakeups, it isn’t the only legislation being debated and it won’t be the last. Multiple states have introduced similar laws, and federal legislation is often discussed in Congress. Businesses should proactively develop more advanced data storage and protection practices to get ahead of the curve.
By: Michelle Hovanetz
Sign up to our newsletter
Foresight is 20/20: 5 Strategies Procurement Departments Should Consider in 2020
Shifting headwinds across the global economy have thrust procurement professionals into unexplored and uncertain territory. Heading into 2020, it is more important than ever to stay up to date with the latest trends across the procurement industry.
ProcurementIQ: More Than Just Research Reports
Using market intelligence in the sourcing process can save you significant time and money by providing reliable, consistent and unbiased information at your fingertips. But, not every market intelligence product is created equal...
Shrinking Big Data: Complying with the CCPA
The California Consumer Privacy Act, effective January 1, 2020, will have a wide-reaching effect on privacy policies and data sharing extending well beyond California’s borders.