A new California law that goes into effect on January 1, 2020 could have implications for your business – will you be ready?
If you conduct any business within the Golden State, you need to understand the implications of the California Consumer Privacy Act or CCPA. According to the CCPA website, the act requires organizations to ensure consumers are given:
- The right to know all data about you that is collected by a business
- The right to say no to the sale of your information
- The right to delete your data
- The right to be informed of what categories of data will be collected about you prior to its collection and to be informed of any changes to this collection
- Mandated opt-in before the sale of children’s information (under the age of 16)
- The right to know the categories of third parties with whom your data is shared
- The right to know the categories of sources of information from whom your data was acquired
- The right to know the business or commercial purpose of collecting your information
- Protection afforded through the act’s enforcement by the Attorney General of the State of California. The state’s attorney general can sue for up to $7500 for each privacy violation that is deemed intentional.
- Additional ability to act privately when companies breach your data. Consumers may personally sue for up to $750 for each violation.
So will your business be impacted?
If you collect any type of personal data on Californians, it’s likely you need to comply. In fact, more than 500,000 U.S. businesses who collect personal data within the state meet one or more of the qualifying criteria that demands follow-though:
- Earn at least $25 million in revenue
- Buy data about 50,000 households, individuals, or devices
- Earn 50% or more of their annual revenue from consumer personal data
Of course, California is a big state, so it’s likely you do conduct business there on some scale. And although the privacy law may not impact you in 49 other states, it’s probably easier to simply meet the higher privacy standard and apply it across the board.
What about the GDPR?
Depending on where you do business, you may have already addressed consumer privacy following the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR). If so, you’re already ahead of the game, as the primary difference between GDPR and CCPA is that the California act does not explicitly require businesses to require consumer opt-in before collecting their data.
If you believe your business must comply with the CCPA – or if you’re not certain – start with these important steps to make sure you’re prepared:
- Talk to your legal counsel and have them confirm whether or not CCPA applies to you.
- Audit current data-collection practices to understand current processes and identify gaps versus the CCPA.
- Encrypt or redact collected personal data.
- Update your privacy policies (again).
- Consider whether and where explicit opt-in requests make sense for your organization.
- Decide whether to proactively communicate your position on CCPA to customers.
- Hire a chief data protection officer.
Of course, other states may soon follow California’s lead, so MJ will continue to monitor consumer protection and cyber security laws. If you have any questions about the GDPR or the CCPA, please contact your MJ Consultant for help!