Well, it’s not like we didn’t see it coming. Cambridge Analytica confessed to it. The Congress of the United States squawked about it. Mark Zuckerberg addressed it. Everyday consumers got burned by it. And finally, California did something about it, passing the California Consumer Privacy Act (CCPA) of 2018. And it’s going to have far reaching impact on many companies, including online tech giants that collect and sell customer data.
“This is a huge step forward for people across the country.”--- California State Senator, Bob Hertzberg
What is the California Consumer Privacy Act of 2018?
The California Consumer Privacy Act, which goes into affect on January 1, 2020, is the most far-reaching and toughest bill enacted to enable consumers to control how their personal data is collected and used by companies doing business with California residents. While not considered as punitive as the European Union’s General Data Protection Regulation (GDPR), the bill grants consumers the following rights:
- request access to the personal information that a business has collected about them
- request that a business delete personal information, subject to certain exceptions
- request that a business disclose certain information, including the categories of personal information that the business has collected about them, the categories of sources for that information, the business purpose for the collection or selling of the information, and the categories of third parties with whom a business shares or to whom the business sells the information
- direct a business that sells personal information to third parties not to sell the consumer’s information (more like the current right to opt out)
- accept “financial incentives” for allowing businesses to collective and sell personal data
“User privacy needs to be thoughtfully balanced against legitimate business needs.”--- Google
What’s Does It Take to Comply?
Businesses doing business in California are required to comply with the following mandates:
- promptly respond (45 days max) to requests by California consumers to exercise their rights under the Act;
- do not discriminate against consumers who exercise their rights under the Act, including by denying goods or services to the consumer or by charging different prices or rates for goods or services or providing a different level or quality of goods or services
- train employees who handle consumer inquiries about the business’s privacy practices or compliance with the Act
- execute contracts with service providers to prohibit those providers from retaining, using or disclosing the personal information for any purpose other than for the specific purpose of providing the services to the business
- establish reasonable security procedures and practices appropriate to the nature of the information to protect personal information
If your company does not do business in California, then all this does not apply. But in today’s national and global economy, the idea of restricting business (especially of an Internet business!) is unlikely – and shortsighted. But if you do business with this pioneering state, then preparing for compliance should start now. In fact, many of the mandates indicated above may already exist in your written policies and procedures.
What Is the Penalty for Non-Compliance?
As we noted earlier, the penalties for non-compliance are not as stiff as those imposed by the GDPR, which could impose fines as high as $46 million ($U.S.). Under the California bill, penalties could range between $750 and $7,500 per violation. The California State Attorney General’s Office will determine whether to file investigations for individual or class action lawsuits.
““Companies should be held to high standards in explaining what data they have and how they use it.”--- Facebook
What Is Big Tech Doing and Saying?
The response of the tech giants has been both supportive and antagonistic. They have publicly supported the need for better policing of their own procedures. At he same time, companies such as Google, Facebook, Microsoft, Amazon, Uber and a significant internet service providers continue to fight the legislation by supporting anti-legislation committees and organizations. Bottom line: this is not yet a done deal, but all indications point to this happening next year.