The European Union’s General Data Protection Regulation (GDPR) proved to be transformative, as it impacts companies and organizations that work with individuals in the EU. With GDPR fines totaling as much as “€20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher,” companies took notice of this new legislation. In fact, SevenTablets has an ebook exploring GDPR and how it may impact your company’s data lakes, along with data governance or data management strategies. But there’s another similar privacy law that companies should consider: the California Consumer Privacy Act (CCPA).
What is the CCPA?
The California Consumer Privacy Act was signed into law on June 28, 2018, and enacted on January 1, 2020. Similar to GDPR, the CCPA “creates new consumer rights relating to the access to, deletion of and sharing of personal information that is collected by businesses.” That’s according to the California Attorney General.
The CCPA is significant because it has a broader definition of what constitutes “personal data,” as this category even includes “thermal and olfactory information” — temperature and smells. The regulation’s security measures are not as stringent as those required to be GDPR compliant.
So what is the CCPA definition of personal data? The following types of data are considered personal information under this California law:
- Identifiers such as name (real, alias or member name), postal address, Social Security number, IP address, email address, account numbers, passport and driver’s license numbers and any other piece of data that could be used to pinpoint an individual.
- Biometric information, such as fingerprints, retinal scans, DNA or genetic information.
- Internet data and/or network data, including search history, browser history, cookies, and other data arising from an individual’s interaction with a website, advertisement or network.
- Commercial data, including those related to an individual’s personal property, shopping/purchase history or memberships.
- Visual, olfactory, auditory, thermal or electronic information about an individual.
- Employment history, data on education history, degrees and professional certifications, along with any other similar data that is “not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act.”
- Geolocation information.
- “Characteristics of protected classifications” per California laws or federal laws.
- Inferences derived from any of the above-mentioned types of information, including the consumer’s behavior patterns, preferences, characteristics, attitudes, intelligence and abilities.
It should be noted that a CCPA amendment moved to exclude employee data from the act, which now applies to only consumer data. A secondary amendment offers a partial exemption on personal data that’s collected from job applicants, contractors and similar.
An Overview of CCPA Requirements for Businesses
Many company leaders are surely wondering whether they’re affected by CCPA requirements. Like GDPR, the CCPA requirements apply to any company that serves California residents, even if the company does not have a physical presence in the state or even the USA.
Unlike GDPR, the CCPA law only applies to a portion of companies that serve California citizens. There are three qualifiers that can make a company subject to CCPA requirements:
- Annual revenue of $25 million or more; or
- Any size company that collects personal data for 50,000+ individuals; or
- Any size company with more than 50% of its revenue from the sale of data.
The one exemption applies to companies that are subject to similar regulations under the California Insurance Information and Privacy Protection Act (IIPPA). This includes insurance companies, insurance agents and insurance-related “support organizations.”
There are a few key take-away points that company leaders must consider as they explore the CCPA rules.
- Consumers can demand the disclosure or deletion of all data that a company has collected for that individual in the past 12 months.
- Consumers can request a complete list of all third-parties that may access their personal data.
- A consumer can file a lawsuit if CCPA privacy guidelines are violated — even in the absence of a traditional security breach. This includes scenarios where a consumer is unable to determine how their information was collected and instances where an individual is unable to obtain a copy of the recorded data.
- A class-action lawsuit may be filed in an attempt to recoup money for damages that resulted from a data breach.
- Companies cannot refuse equal service if a user declines to share their data, although businesses are permitted to offer incentives to individuals who do opt to share their info. (Example: offering a promo code to individuals who subscribe to an e-shop’s mailing list.)
- Websites must have a clearly-visible footer that provides consumers with an opportunity to opt-out of data sharing. If this notice is absent, it serves as grounds for a lawsuit.
In the case of CCPA lawsuits arising from a company’s “violation of the duty to implement and maintain reasonable security procedures and practices,” the legislation allows for a penalty of $100 to $750 per incident or actual damages — whichever figure happens to be greater.
Notably, the CCPA is a dynamic piece of legislation, meaning that the Attorney General is free to “solicit broad public participation” in an effort to implement new rules and regulations that serve to further the CCPA’s overarching mission.
How Long Do I Have to Achieve CCPA Compliance?
There is still time remaining if you need to make changes to the way your company processes, stores and manages data in order to become CCPA compliant. That’s because the Attorney General cannot initiate enforcement actions such as fines and penalties until July 1, 2020.
If a company is accused of CCPA violations, the business has a total of 30 days to resolve the matter and achieve full compliance. The 30-day window begins on the day when a consumer provides the company with written notice that they believe a privacy violation has occurred.
If the matter is not sufficiently resolved within the 30-day timeframe, California regulators can issue a hefty fine. CCPA fines can total up to $7,500 per record. So if your company has 50,000 records involved in the violation, this would equate to a mind-boggling fine of up to $375 million.
Companies that are based in California may wish to stay informed about the Attorney General’s CCPA rulemaking activities, as these new regulations may have a notable impact on company operations. The California Attorney General’s website features a form where you can subscribe to receive emails when CCPA news becomes available.
At SevenTablets, we have extensive experience in the realm of data management and data governance, as evidenced by our product, Sertics. From creating data lakes to developing a data governance plan, our team is adept at providing data management services. We also have a team of talented custom software developers and mobile app development experts so we’re well-positioned to assist with any custom development projects.
SevenTablets has clients in Dallas, Houston, Chicago, Austin and beyond. We provide a complete suite of high-tech service offerings, including ERP and CRM development, cloud integrations and system integrations. So if you’re in search of an innovative team to help your company make the most of its data, contact SevenTablets today.