The California Consumer Privacy Act (CCPA) is slated to take effect on January 1, 2020. Brands and agencies are calling it the GDPR of the USA. There’s a lot of acronyms, legalese, and misinformation swirling around the discussion. Let’s clear up the confusion. Welcome to the TINT primer on CCPA.
What exactly is the CCPA and what does it do?
The CCPA is a piece of legislation that grants consumers the right to request information about data a business collects on them. This can include the specific information it collects, the sources of the information, and the purpose of the data collection.
Formally, the bill adds Title 1.81.5 to the California Civil Code section relating to consumer privacy.
The Legislative Counsel’s Digest, an analysis that is attached to most major California legislation, specifically names these consumer rights created by the law.
- The right to request information on the data being collected, the methods of collection, and uses for that data.
- The right to know what types of third-parties will have access to collected data and what uses they have for it.
- The right to request deletion of personal information and for businesses to comply with the that verified deletion request.
- The right to be able to request specific information about third-parties with access to their consumer data.
- The right to opt-out of the sale of personal information by a business and prohibiting a business from retaliating against users who opt-out.
- The right of businesses to incentivize users to allow them to collect personal data.
- The right of underage users to require an opt-in before firms start sharing their data.
- The legal definitions of personal information, particularly in digital spaces.
- The creation of a Consumer Privacy Fund that will be used to support the bill’s enforcement.
When does CCPA take effect?
CCPA starts January 1, 2020. The bill was enacted in 2018, so we shouldn’t be surprised.
Why CCPA?
This isn’t California’s first foray into privacy legislation. Historically, California has been incredibly progressive about consumer privacy, with their legislative process often outpacing (or guiding) Federal procedure.
Several notable California privacy laws:
- Effective 2004 – California Online Privacy Protection Act: Requiring websites and digital services to include a privacy policy on their website. It also requires operators to disclose what personally identifiable information they are collecting including things like name, street address, and gender.
- Effective 2005 – Shine the Light Law: Requiring notice if a business shares consumer data with third-parties.
- Effective 2013 – Privacy Rights for California Minors in the Digital World Act: Governing the targeting of minors through online advertising, specific industries include alcohol, firearms, tobacco, pharmaceuticals, tattoos, tanning, cannabis, e-cigarette, and weaponry.
Does CCPA apply to me?
The National Law Review has a cheat sheet to determine whether CCPA applies to your business.
You business must be:
- A for-profit organization conducting business in California.
- This includes digital presence like displaying a webpage or eCommerce activities.
- Collecting data in some way, shape, or form.
- One of three criteria:
- Over $25 million in annual profit
- Brokers or collects information on over 50,000 California residents or devices
- Derives 50% or more in annual revenue handling data from California consumers.
Some of these numbers can seem extraordinarily large for small businesses and mid-sized firms. But the resident/devices threshold can be quickly met if you’re pulling as little as 5,000 unique users every month. There are also some concerns about whether records obtained by data enrichment tools will count towards this threshold.
Got it! I’ve read the law and feel ready for January!
Hold on there. As reported by AdLawAccess, there are already a slew of amendments being proposed and awaiting approval by the governor.
- AB 1355 – Exemptions for Business-to-Business communications and FCRA reporting.
- AB 1202 – Creation of an Attorney General led registry for data brokers.
- AB 25 – Exemption for employees, applicants, and various business relationships.
- AB 1564 – Requiring businesses to provide two methods of requesting information including a phone number.
- AB 1146 – Exemption for transactions related to vehicle warranty or recalls.
- AB 874 – “Fixes” definition and use of information publicly available from municipal, state, or federal records.
We’ll need to see what makes it past the governor’s desk, legal challenge, and if any additional modifications are made to the legislation.
What to do?
First, ensure that you’re practicing responsible data handling. This is the first wave of many national data laws that are forthcoming. Try to get ahead of the curve. Learn from the mistakes and opportunities of GDPR.
Second, talk to your legal counsel if you think you may be near or surpassing one of the thresholds. A lawyer, particularly one who is a member of the California Bar, will be your best resource to understand the nuances of CCPA.
Third, after cleaning up your data and talking to an attorney, we’ll all need to wait and see. There are the previously mentioned amendments alongside other possible legislation and a number of organizations are alluding legal challenges if the law is not modified.
Some sort of law will take effect on January 1, 2020. Whether it is this iteration is still to be seen.