Jan. 1 brings a European-style uproar to state businesses when the California Consumer Privacy Act (CCPA) goes into effect.
This law, signed in June 2018, was created to protect the privacy and data of consumers and is intended to give consumers the “who, what, where, and when” of how businesses handle their personal information.
The law gave businesses 18 months to prepare. Like Europe’s General Data Protection Regulation (GDPR), the California law will affect many businesses that collect personal information from people in the state.
How does it affect you?
If you answer yes to numbers 1-3 in Table I and meet one of the thresholds described, your business is probably required to comply with this new law.
The law and associated regulations have several specific elements that must be followed. While there are some similarities between California and the European rules, they are not mirror images, Jennifer Lumsdaine, a partner at Tredway Lumsdaine & Doyle LLP, told me.
“Just because you have prepared for the European law does not mean you are already in compliance with the California law,” she said.
The simplified list below for some of the California requirements must be complied with by Jan. 1. Like most regulations, there are stipulations and nuance:
• Update your privacy policies with CCPA language
• Consumers must be allotted, at minimum, two ways of requesting action on their data, including:
- Online request form
- Toll-free number (Note: There is an exception if your business operates exclusively online and with a direct relationship with the consumer)
• Consumers have the right to make four types of requests, all of which must be completed within 45 days of receipt:
- Opt-out of sale of collected consumer data for 12 months, including data shared with third parties the preceding 90 days.
- Delete all identified personal consumer data
- The categories of personal data collected
- The actual personal data collected
When we assist our clients with preparing for California law, the first thing we do is understand their data. One of the positive outcomes of this law is it forces executives to think about their data and all its possibilities. Data can open doors to new lines of revenue and efficiency if leveraged correctly and this tends to be a natural byproduct of an implementation.
Once the data is understood, we advise businesses to map their people, processes and technologies to take the necessary steps to service consumer requests.
It’s important to note key differences between the two compliance standards. For instance, the California standard specifically pertains to consumers who reside in our state. The European version is applicable to “Data Subjects” that refers to anyone—and not necessarily an EU resident; wherever data subjects live, companies with business in Europe abide by the standards.
Another key difference: California’s Right to Request Information is less extensive than European requirements. California requires information transmitted in a portable and readily useable format while the Europeans require structured, commonly used and machine-readable format.
In Orange County, some businesses have made significant strides to comply, with varying approaches.
Many are starting with manual processes. While time consuming, the reality is automation is not always an option, either because the businesses’ data landscapes are insufficient, or the tool implementation is too onerous.
For businesses with the capacity to automate the process we have seen a hybrid of both manual processes and implementation of workflow tools, including re-purposing ServiceNow instances, to purchasing specific privacy management software with California and European workflows. The tool you choose should be based on your business need. When we assist our customers with this endeavor, we’re outcome-focused and tool-agnostic.
Our customers are most concerned with the resource loading in such an ambiguous space. It is unclear whether a large company will get dozens or thousands of requests. Preparing your organization with strategic sourcing options for changes in workloads mitigates risk.
Cost of compliance isn’t easily measured. Ambiguity around the influx of consumer requests can occur. Solutions can be as cost efficient as updating internal processes and as costly as performing a new data governance structure across the infrastructure.
While it’s tempting to just “wait and see what happens” with this law, non-compliance puts you at risk of huge fines. You can expect the attorney general to initiate a civil case against you if you remain non-compliant 30 days after being notified about it. The risk is being fined up to $7,500 per violation.
The law expressly allows for private rights of action by consumers where personal information is collected. Of course, it also opens the doors for eager lawyers to create class action lawsuits if they find businesses unprepared.
There are exceptions built into the regulations that allow for denials of requests for information made by consumers or which allow the business to verify the request is being made by the appropriate person. Additionally, there is an option for extending the 45-day time limit to respond to a request for information.
It is helpful to confer with legal advisers when determining the best course of action that balances business capability with legal risk.
We expect this type of law to eventually become national as bills in Massachusetts, Minnesota, Pennsylvania, New Jersey and New York, among other states, will be debated in the coming months. While these laws are currently targeted at larger businesses, privacy laws likely will continue to expand and affect mid-size and small businesses as well.
Editor’s Note: Jenny Dinnen and her twin sister, Katie Rucker, are owners of data-focused market researcher MacKenzie Corp., which this year won the Business Journal’s Family-Owned Business Award in the small company category.
Table 1
Do you answer yes to all of these questions —
Are you …
- a for-profit entity?
and
- doing business in California?
and
- collecting or telling others to collect personal information of consumers and determining the purposes and use of that information?
And
Do you answer yes to any of these questions —
Do you …
- have annual gross revenue of at least $25 million?
or
- derive 50% or more of your annual revenue from sell-
ing personal information of California residents?
or
- annually buy, receive, sell, or share the personal infor-
mation of 50,000 or more California residents, households or devices?
