The California Consumer Privacy Act – is America ready?
California is the world’s fifth largest economy and will soon enforce strict new privacy laws.
The new privacy law, the California Consumer Privacy Act (CCPA), goes into effect on January 1, 2020.
Some of the best new technology companies are based in California, so it’s no surprise that the state’s gross domestic product rose by $127 billion from 2016 to 2017, surpassing $2.7 trillion.
It is the first government in the U.S. to regulate how businesses retain and use electronic consumer data. Consumers will get more say over the collection and use of their personal information.
The CCPA, will require all state for-profit businesses to disclose to consumers upon request the specific pieces of their personal information it collects and the sources of that information. Consumers can also require companies to delete personal information, refrain from selling it, and pursue legal action if businesses fail to comply.
Even if your organization does not have so much as a single branch office in California, if your customers reside there, you must comply with the regulation. Moreover, the CCPA protects the privacy of California residents wherever they are in the world, not just in-state.
The law states: “Many businesses collect personal information from California consumers. They may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.”
The CCPA in broad terms, mirrors the EU’s General Data Protection Regulation (GDPR).
It has even earned itself the nickname “GDPR lite.” There are some similarities, such as parental consent and data processing restrictions. But the CCPA defines “personal information” more expansively and offers opt-out rights.
The world’s most powerful technology companies, including members of the Internet Association, have voiced their criticism over the new California law. This is mainly because most of their members enjoy revenue streams dependent on amassing user data.
Kevin McKinley, internet association director for California Government Affairs, told Yahoo Finance “Internet companies support an economy-wide, federal privacy law that provides all Americans with meaningful transparency and full control over how the data they provide to companies across all industries is collected, shared, and protected.
“The CCPA has many flaws that resulted from the abbreviated legislative process last year.”
McKinley said that in an attempt to rush the law through before the end of last year’s legislative session, the California legislature failed to tailor it in a way that ensures businesses can efficiently comply. He said that failure had prompted at least eight proposed amendments, currently under consideration.
Companies in California successfully petitioned local lawmakers to kill a bill that would have given citizens greater ability to sue firms for illegally collecting their digital information.
CCPA vs GDPR
There are some differences between what the GDPR does and what the CCPA covers.
Firstly, the CCPA will use an opt-out basis for consent whereas the GDPR uses an opt-in basis. This essentially means that users will have to actively reach out to companies to find out about what sort of information is being used. Additionally, the GDPR applies to any organization that holds personal data on EU citizens.
The CCPA, on the other hand, only applies to for-profit companies that process data on California residents. The organization must either do at least $24 million in annual revenue, hold the data of 50,000 people, or do at least half of their revenue in the sale of personal data.
The CCPA establishes a consumer’s right to request that businesses disclose what sort of data is gathered about them. Unless you’re using a tool such as a virtual private network (VPN), it’s very likely that many businesses are gathering information about you whenever you’re online.
This will bring about much needed transparency to businesses all over California.
However, it’s not all plain sailing. Worryingly, a recent survey by Dimensional Research of 250 executives and managers of U.S. businesses likely to be affected by the CCPA found that nearly half (44%) hadn’t taken any steps towards compliance.
Only 14% of respondents were confident they would even be ready by the time the CCPA takes effect.
But nearly three-quarters (72%) of respondents intend to catch up on compliance by investing in technology.
Google was recently hit with a $57 million fine for not properly disclosing to users how data is collected across its services, while Facebook faces several investigations by European authorities. Here in the UK, it’s very likely we will soon hear about many more enforcement actions.
So the U.S needs to make sure that their businesses need to take the CCPA seriously and remember that fines and threat to their reputations – just like with our GDPR – will follow if they don’t embrace and enforce the new regulations.