The California Consumer Privacy Act of 2018 (CCPA) that passed in June 2018 will take effect January 1, 2020, and is set to have a significant impact on companies that do business in the golden state.
“The CCPA is precedent-setting in the U.S. because it has far-reaching implications for data management and recordkeeping,” says Kathy Krafka Harkema, the American Architectural Manufacturers Association (AAMA) codes and regulatory affairs manager.
Who Does the CCPA Effect?
The act regulates and clarifies the acceptable interaction and use of a consumer’s personal information and impacts companies even beyond the U.S. as it requires any company that has at least $25 million in annual revenue and interacts with California residents, even international companies, to comply, the bill states.
“Your business doesn’t have to be physically located in California or even the United States to fall under the new law’s requirements,” Krafka Harkema adds. “So take time to understand it and what it takes to comply.”
What is the Big Deal With the CCPA?
The CCPA requires a company to release the extent of the information it has collected on a California consumer over the past 12 months upon their request. In addition, the company must also provide a full list of any third parties with which the data has been shared. Once a consumer has submitted a request, the company has 45 days to release the report or they will be in violation of the act and are susceptible to fines and even a lawsuit from the consumer, as outlined in the document.
Krafka Harkema points out that this act is exceptional in the amount of compliance it requires.
“While most existing consumer protection laws deal with what happens in the event of a data breach, the comprehensive new California law also allows consumers to sue companies if the privacy guidelines are violated, even if data is not breached,” she says.
The company has 30 days from the time they are notified of a violation to correct the problem or fines can be up to $7,500 per consumer-record. The bill also allows individuals to sue.
Due to the bill being drafted and passed in just a week, several data privacy professionals believe the CCPA is likely to have several amendments made to it before taking effect in January.
Some amendments already proposed are the exemption of employee data and publicly available, deidentified and aggregate consumer information.
What Does the CCPA Regulate?
In addition to the consumer’s ability to request a report on all personal information the company has acquired, other regulations addressed in the bill include:
- Notice of collection of personal information, which informs a consumer of the categories of information which will be collected and the purpose for which they will be used;
- Notice of right to opt-out of sale of personal information, which requires a clear and conspicuous link be provided that allows the consumer to refuse personal data sharing;
- Notice of financial incentive, which informs consumers of price differences the company may offer based on the consumer’s agreement to use data;
- Practices for handling consumer requests to delete information;
- Training for those handling consumer requests; and
- Prohibiting of discriminatory practices based on a consumer’s privacy preferences.
Personal information as identified in the bill includes but is not limited to:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers;
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with an internet website, application or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory or similar information;
- Professional or employment-related information;
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act; and
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
To learn more about who the privacy law effects, the requirements and things to do in order to prepare, read the current version of the CCPA here.
“If you haven’t already done so, now’s the time to consider what may be needed to update your data management procedures and processes to comply with its provisions,” advises Krafka Harkema.