What Impact Will the California Consumer Privacy Act Have on Your Program?
Over the past decade there has been an undeniable shift towards social media, search engines, mobile, and other online platforms that handle loads of consumer data on a daily basis. Moreover, third party data brokers and brands regularly collect, process and share reams of personal information with other business units and partners.
This free flow of consumer data across various internet platforms supports both ecommerce and online marketing. In fact, data is the life blood of the business models that support the internet and overall economy. The beauty of the internet is that it accumulates once-unimaginable stores of information and makes them accessible instantly from anywhere with the click of a mouse.
But if you listen to the Europeans, that’s not a feature; it’s a bug—and that sentiment is now bleeding over into the United States.
California’s new consumer privacy legislation
As the role of technology and data has increased in our everyday lives (i.e., Facebook, Google, and mobile apps), California’s legislators have come to believe that existing California law has not kept pace with the personal privacy implications surrounding the collection, use, and protection of personal information. They are concerned that “misuse” of personal data may have negative impacts for individuals.
On June 28, 2018, the California Legislature passed Assembly Bill 375 and enacted the California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”). The Legislature rushed the bill through in order to preempt a more stringent privacy ballot initiative from appearing on the November ballot, which if passed, would have been difficult to amend or repeal. Despite a very brief deliberation, the Legislature passed the sweeping bill that will impact most businesses that collect or sell California residents’ personal information.
The new legislation gives Californians the right to see what information businesses collect on them, request that it be deleted, get access to information on the types of companies their data has been sold to, and direct businesses to stop selling that information to third parties. It’s similar to the General Data Protection Regulation that went into effect in the European Union recently, but adds to it in crucial ways.
Who is impacted?
Companies doing business in California must comply with the CCPA if they meet or exceed at least one of these three thresholds:
- Annual gross revenues of $25 million;
- The company obtains personal information from 50,000 or more California residents, households, or devices annually; or
- 50 percent or more annual revenue is derived by the company from selling California residents’ personal information
Keep in mind, there are still some outstanding questions about how these thresholds will be applied. (For example, does “revenue” include only California revenue, US revenue, or global revenue?)
What does the new law require?
Businesses must evaluate their personal information handling and privacy policies and procedures and comply with the Act by January 1, 2020. Failure to do so may expose companies to penalties of up to $7,500 per violation. Happily, the CCPA’s delayed effective date may also give the Legislature a chance to amend problems overlooked due to its swift passage. But for now, companies in California, the United States, and around the globe, are analyzing this legislation and preparing to comply.
Though lawmakers and others are already discussing amending the law prior to its effective date, as passed the law would allow Californians:
- To ask, “What do you collect/store?”, “Why?”, and “With whom do you share it?”
- To opt out of sale of their data.
- To request deletion of their data.
- The right to be informed of what categories of data will be collected about them prior to its collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- The right to know the categories of third parties with whom their data is shared.
- The right to know the categories of sources of information from whom their data was acquired.
- The right to know the business or commercial purpose of collecting their information.
- Enforcement by the Attorney General of the State of California.
- Private right of action when companies breach their data, to make sure these companies keep their information safe.
Some believe that the CCPA (as well as the GDPR and upcoming ePrivacy regulation in Europe) may presage a new era of more stringent and increasingly complex privacy laws. It is possible that we are approaching a “tipping point” whereby these new laws begin to adversely impact the core business models supporting the internet, online marketing, ecommerce, and personal information data processing.
There’s a lot of work to be done before there are actual regulations on the books, and over the next two years consumer and industry advocates will be submitting recommendations, cleanups, and clarifications to the Attorney General’s office to guide those regulations.
Stick with us here at Return Path as we work through our many coalitions to extensively comment and suggest changes to this bill in order to balance privacy and stave off unintentional impacts to the data driven economy.
About Dennis Dayman
Dennis Dayman has more than 20 years of experience combating spam, security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations and technical solutions. As Return Path’s chief privacy and security officer, Dayman leverages his experience and key relationships to provide best practices to Return Path, its customers, and ensures the compliance of their communications data flows. He is also responsible for coordinating and managing Return Path’s international electronic commerce, privacy and Internet related policy issues.