If you own a website that collects user data or simply operates online, take caution!
By Peter Lemire
In June of this year, California enacted the California Consumer Privacy Act (CCPA), becoming the first state in the U.S. to pass its own data privacy law. The CCPA act was enacted just one month after the European’s General Data Protection Regulation (GDPR) officially became enforceable. Any relief felt by U.S. companies for completing the arduous task of bringing their business practices into compliance with the GDPR was short-lived—California has plunged headfirst into the privacy arena, and they’re playing by their own rules.
On the surface, it may seem that companies not doing business with California residents or EU citizens remain unaffected and are free to carry on business as usual. However, the enactment of the CCPA could have broad implications for businesses across the country. The public is demanding corporate accountability for cybersecurity and privacy—just ask Mark Zuckerberg, the creator of Facebook. Companies should start contemplating and formulating compliance strategies sooner rather than later. In the realm of privacy and data security, a proactive approach to the management of cybersecurity and privacy risks is best, and may avoid a costly game of “catch-up.”
In order to understand what privacy and personal data management policies should be in place, it is first important to look at what the CCPA requires for compliance. The CCPA has been largely referred to as California’s version of the GDPR, however, the comparison is slightly misleading as there are quite a few differences between the CCPA and the GDPR. This means that existing privacy policies tailored for the GDPR will not automatically be fit for purposes of complying the with CCPA, and will likely need to be updated to reflect the disclosures and transparency obligations required by the CCPA.
Of course, the first step is determining whether your business is even affected by the CCPA. The CCPA applies to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and either (a) have annual gross revenues in excess of $25 million, (b) receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis, or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information.
Although the CCPA’s directives become operative January 1, 2020, in order to comply with the 12-month look-back period for consumer requests, businesses subject to the CCPA will need to begin mapping data and keeping records of personal information beginning January 1, 2019.
Even if the CCPA does not apply to your business, it is still worth having a basic understanding of the CCPA, as other states are following the EU and California’s lead, which could lead to federal involvement. Essentially, the CCPA gives California residents four basic rights in relation to personal information. First, “the right to know” grants the right to know what personal information is being collected, and the right to know whether personal information is being sold or disclosed and if so, to whom. “The right to opt-out” provides for the right to opt-out of the sale of the collected personal information to third parties. Further, minors under the age of 16 must actually opt-in (meaning the sale of personal information is not permitted until consent is expressly provided), and for minors under the age of 13, the consent must come from a parent or guardian. “The right of access” gives consumers the right to have businesses disclose the information collected, the categories of information collected, the categories of third parties with whom the information is shared, the categories of sources of the information, and the business purpose for collecting or selling personal information. Finally, the CCPA provides for “the right of equal service,” which forbids businesses from discriminating against consumers for exercising their right to privacy afforded under the Act.
California’s law is just the tip of the iceberg of what is happening throughout the United States. The GDPR and CCPA have brought concerns of inconsistent and sometimes conflicting privacy laws to life, and present businesses with unnecessarily burdensome compliance challenges. As a result, attempts to lobby Congress to pass federal omnibus privacy and data protection law that would pre-empt the CCPA and other existing and future state data protection laws are currently underway. The U.S. Chamber of Commerce, the Internet Association, a trade group representing leading Internet companies, and the Interactive Advertising Bureau have already all spoken on the matter.
Businesses that are compliant with the GDPR do have a fairly significant head start on complying with the CCPA. However, because there are material differences between the two regulations, even businesses that are “GDPR-compliant” (if there is such a thing) will have additional work to do to prepare for the CCPA. Absent an act of Congress pre-empting the CCPA, businesses who may have dodged the GDPR bullet must now develop robust data management. However, even businesses who have not been affected by the GDPR or CCPA may want to consider taking a second glance at their privacy practices and policies—one way or another, privacy regulation seems inevitable.
If you have questions about how to update your privacy agreements to avoid costly trouble, we are here to help. Please feel free to contact us at (303) 768-0123 or send us an inquiry here.