How The New California Online Privacy Law Affects Your Business

The days of careless and nontransparent online data management are over. The last two years have yielded the largest reforms in online data privacy protection ever. In May 2018, the European Union passed the General Data Protection Regulation, more commonly known as GDPR. This regulation sent shockwaves through the digital community affecting any online company that does business with European countries. Shortly thereafter, the state of California followed suit and enacted the California Consumer Privacy Act (CCPA) which is the closest that the U.S. has come to a comprehensive privacy law to date. The CCPA goes into effect on January 1st, 2020. So rather than taking the time out of your busy schedule to read through this piece of legislation and prepare yourself for the change at the beginning of the new year, we’ll provide you a summary of what you really need to know. But first, a little background on its origins…

Europe’s Influence

For those that missed it, the effects of the GDPR reverberated around the globe with the regulation itself not actually referencing citizenship or residency, giving it a very broad territorial scope. At its core, it addresses the transfer of personal data between consumers and businesses and is founded on 7 key principles: 1) lawfulness, fairness, and transparency, 2) purpose limitation, 3) data minimization, 4) accuracy, 5) storage limitation, 6) integrity and confidentiality, and 7) accountability.

The Differences Between the CCPA and GDPR

While the CCPA has its roots with the GDPR, these two laws have a few key differences. Both the CCPA and GDPR were created to protect the private information of consumers and have additional protection for persons under 16 years old, but their corresponding legal frameworks are structured differently. This includes the CCPA not requiring a “legal basis” to collect personal data.

One of the primary differences is the CCPA’s focus on transparency, which includes requiring businesses to have a “Do Not Sell My Personal Information” option on their websites. This is a huge stride in privacy for consumers considering that many businesses will be pushed to comply with these standards to reach Californian audiences and reap the benefits of their booming economy. Though this also means that there is a gray area with personal data collection; the GDPR was structured to be based around the legality of collecting data, while the CCPA is based around personal consent to granting access to personal information. This will likely move us into a new awareness of the information being collected by businesses and perhaps invoke the necessity of a lawyer to translate and guide consumers through the legislative gray area that will ultimately be left up to a court of law to define.

CCPA Highlights

The following are some of the main highlights of the CCPA law:

• The right to know: disclosure of what data is being collected
• The right to delete: the right to request that your personal information be deleted
• The right to opt-out: the ability to say no to the sale of your personal information
• The right to non-discrimination: equal rights and price when exercising your privacy rights
• The right to data portability: the right to receive or have access to personal information that has been provided to a controller, or from one controller to another
• The right of access: the ability to access your personal information

Who Is Affected?

Businesses are only subject to the CCPA if they have “gross annual revenues in excess of $25 million; buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; derives 50 percent or more of annual revenues from selling consumers’ personal information.” (California Department of Justice, 2019). CCPA obligations also apply to only for-profit (business) entities that do business in California and protects only California residents, but still subjects businesses around the world and their consumers to the same standards as those actually residing in-state. On a broader scope, you can also expect to feel the impact if you are a B2C business or if your business collects or sells personal information of any kind.

What You May Likely Need to Do

For many businesses, this means that you will need to make some adjustments to your website including updating your privacy policy to ensure compliance and including an option for people to opt-out of having their personal information sold.

This also might point to the need for an attorney if you are one of the aforementioned businesses subject to the law (see above) for a few reasons: 1) to answer any questions you may have about the legislation and understand its requirements, 2) to create a solid plan of action to ensure compliance, especially if you meet any of the requirements listed above, and 3) to stay up to date on compliance as the law evolves over time.

For those of you not living in California, the CCPA’s effect may not sound like it will be quite as direct. But, you can still expect to feel the impact in other ways, especially economically. Similar to how the GDPR bled into our economy, so too will the CCPA. Being the 5th largest economy in the world, California is highly influential to the global market. In order to compete, businesses across the U.S. (and around the world) will have to adapt to comply with these new standards.

If you’d like to learn more about the CCPA, how it compares to the GDPR, and how it may affect you, you can read more here from the Future of Privacy Forum. If you have any questions, please feel free to contact our tech team who will be more than happy to help.