What is California’s new consumer privacy law and could you be fined?

If you’re not familiar with California’s new California Consumer Privacy Act (CCPA), you’re not alone. In August, an IT security firm ran a survey of 625 business owners in California and found that almost half the respondents had never heard of the CCPA and less than 12% knew whether the law applied to their business. Now is the time for your company to assess the potential impact and take steps to comply with regulations if required. 

What is CCPA?

Taking effect on January 1, 2020, the California Consumer Privacy Act (CCPA) is modeled on the European Union’s General Data Protection Regulation (GDPR) and creates new consumer rights relating to the access, deletion, and sharing of personal information that is collected by businesses. The CCPA defines the responsibilities of businesses that collect and process personal information. The scope includes California businesses, as well as any business that conducts business with California residents. 

Among the rights ensured in CCPA are:

  • Consumers have the right to know all data collected on them, including what categories of data and why it is being acquired before it is collected, and any changes to its collection
  • Consumers have the right to refuse the sale of their information
  • Consumers have the right to request deletion of their data
  • Consumers have the right to opt-in before the sale of information on minors
  • Consumers have the right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired
  • Consumers have the right to sue should breach occur or to ensure companies keep their information safe, and the state may also impose penalties for noncompliance or violation.

Which businesses are impacted?

The CCPA impacts both California-based businesses, as well as companies doing business with consumers in California. It applies to all businesses that meet any of the following three thresholds: 

  1. Has annual gross revenues in excess of $25,000,000.
  2. Buys, sells, or shares the personal information of 50,000 or more consumers, households, or devices. 
  3. Derives 50% or more of its annual revenue from selling consumers’ personal information.

While the $25M gross annual revenue is intended to help small businesses and startups avoid CCPA requirements, many companies already have email lists or internal databases with more than 50,000 records of past, current, or prospective customers. If you’re using a marketing automation platform (for example, tools like Marketo, HubSpot, etc.), have ever bought or scraped email lists, or have simply been in business for an extended period of time, you might find the 50,000 record count threshold is easy to reach.

Note that “sharing” can include something as simple as passing information from a website form to your email provider (as with Constant Contact and similar software) or sharing information with Google Analytics (CCPA scope includes technical information that is passed by a user’s browser when they visit your website.) Even if your organization does not currently meet the three regulation thresholds, the CCPA is expected to become a model regulation that will be adopted by other states and, potentially, at the federal level. Ignore the CCPA at your own peril.

What is the potential exposure of non-compliance?

The California Attorney General’s office is scheduled to begin enforcement by July 1, 2020, with a twelve-month “look-back period” (to July 1, 2019), with fines up to $7,500 per violation. The specifics of enforcement are still being developed by the State of California. While the CCPA will generally be enforced by the California Attorney General, private citizens can also make claims directly against a company if there is certain unauthorized access and exfiltration, theft, or disclosure of non-encrypted or non-redacted personal information. (Note that this might include such things as unencrypted spreadsheets containing customer information on a stolen laptop.)

What to do now

We recommend that our clients be proactive in assessing the impact of regulation and taking steps to become compliant if needed. While the safest advice is to ask your legal counsel, there are several steps you can take on your own.

First, simply Google “CCPA compliance” or refer to the resource links below to get up to speed. 

Second, if you believe your company is either not impacted or that the business risk is minimal, we recommend that every client still update their website’s privacy policy to comply with CCPA requirements. (You do have a privacy policy on your website, right? If not, now’s a perfect time to create one!)

Third, if you believe your organization will be subject to CCPA requirements, now is the time to inventory the information you collect (or have collected in the past and stored). Determine what information you need to run your business. If you are collecting or archiving data that is no longer useful, you can reduce your exposure by cleaning up your data and deleting information that is no longer needed.

Additional CCPA Information Resources

We’re not lawyers, but Sterling has been working with clients with GDPR and CCPA compliance obligations. If you have questions or would like Sterling’s help, please contact Mark Bonham at (408)395-5500.