There’s a new consumer data protection regulation going into effect on January 1, 2020. The California Consumer Privacy Act (CCPA) is reported to be among the most stringent data protection privacy laws in the U.S. and it will have a ripple effect on businesses around the globe.
By Aleksandra Kubis
Focusing on the privacy rights of individuals, the CCPA regulates the way marketers handle personal information of California residents. Specifically, if your business has over $25M in annual revenue, processes (buys, sells, receives, or shares) 50,000 or more California consumer records each year, or earns 50 percent or more of its annual revenue from selling personal information of California residents, you must comply with CCPA. The law also applies to companies that share common branding (name, service mark or trademark) with a business that meets these criteria. This includes marketing agencies, online payment processing vendors, and digital marketing technology companies, for example. Additionally, if your business doesn’t fall within the criteria outlined above but is a service provider to a company that does fit the criteria, you should still be knowledgeable about CCPA requirements.
With CCPA, customers have the right to know what personal information a business has on them and how it’s being used. Consumers will also be able to ask businesses for their personal data including why, where and with whom it was collected, sold or shared. Businesses have 45 days to respond to the request, and the business must provide information about how the data was handled within the year preceding the request.
- The types of personal data the business has collected, sold, or disclosed within the last 12 months.
- How and why the company uses personal data.
- Third party partners that have the customer’s personal data including service providers such as marketing agencies, digital marketing vendors, payment processing vendors, and the like.
Businesses that don’t comply with CCPA can face a maximum fine of $750 per consumer or violation. For example, if a business collects data from 1,000 California residents without complying with CCPA, they can face fines of up to $750,000. Also, if a business doesn’t meet certain data security requirements, consumers can demand that it be fixed within 30 days or the business risks legal action.
While CCPA doesn’t go into effect until the new year, businesses should spend time now getting their systems ready to comply. This includes updating their back-end systems, reviewing their privacy statements and contracts with third parties, and making sure their digital marketing and email contact lists are in compliance. In theory, CCPA applies to the data of California residents. In reality, it will be difficult to limit compliance only to those residents.
Another date that businesses should circle on their calendar is July 1. This is when California’s Attorney General is likely to announce rules on how to implement CCPA regulations. For example, clarifying what constitute personal information and identifiers, disclosures that need to be added to customer notifications and privacy policies, and how businesses can best respond to customer requests.
CCPA is yet another example of the rising consumer demand for proper collection and management of their data. We can likely expect other states to follow suit with CCPA and institute stricter regulations and fines to protect consumers and ensure more meaningful online experiences.
Aleksandra Kubis is the Head of Legal at GetResponse, a global digital marketing company.