Why Smaller Businesses Can’t Ignore the California Consumer Privacy Act
CCPA has its burdens but also its benefits as it requires businesses of all sizes to streamline and strengthen data collection and protection processes. Last year many people awakened to the fact that their personal information is no longer their own. Their data goes into company records, which may be online or on paper or in the cloud, protected as closely as Fort Knox or available to the highest bidder. Data protection is shockingly inconsistent, as demonstrated in an endless wave of security breaches.
While the European Union has its General Data Protection Regulation (GDPR), the U.S. has yet to determine a federal policy on consumer data privacy protection. In the absence of federal law, the California Assembly passed the California Consumer Privacy Act (CCPA) effective January 1, 2020.
As the world’s fifth-largest economy, legal and societal changes in California have a profound impact on other states. Whether it’s pollution control, smoking bans, or same-sex marriage, what happens in California most definitely does not stay in California, and often becomes a model for other states.
CCPA articulates the rights of consumers related to the access and use of their broadly defined “personal information.” It also enumerates the responsibilities of businesses that collect and process personal data, with the result that even small businesses will need to make significant changes to their data protection programs that affect California residents. And it won’t be easy.
What is CCPA?
The average consumer believes they have fewer than 50 online accounts, says Allstate research, although the reality is three times that figure. Some of the data in these accounts is crucial to a company’s ability to predict customer actions and personalize offerings. But a lot of it is swept up in a blanket attempt to gather as much customer data as possible, in case it’s of use to improve the customer experience at an indeterminate date. Trusting, busy consumers complete registration forms and click “accept” on autopilot.
CCPA gives California residents a number of rights with respect to control of their personal information. There are also requirements for businesses to revise their relevant privacy policies and vendor contracts, and for training personnel on CCPA.
- Disclosure to consumers that personal information is collected or sold, the purpose, the categories of information and their sources, and the categories of third parties with whom the business shares the information.
- Access for consumers to the personal information collected on them and a copy of that data.
- Deletion of consumers’ personal information held by companies.
- Opt-Out of the sale of consumers’ information. If a business sells personal information, it must include a “Do Not Sell My Personal Information” link on its homepage. Businesses also need parental consent to collect the data of children.
- Antidiscrimination protection for consumers who exercise their rights under CCPA, and the right of consumers to sue.
Even if you think your small business tent is currently pitched outside the CCPA camp, it’s highly likely that a similar policy will eventually be adopted across the U.S. There are currently draft bills in Congress that would override the stricter CCPA and regulations passed by several other states, and even a proposal for a Digital Privacy Agency. Dozens of tech CEOs have voiced support for a federal law, while others have vowed to apply CCPA in the meantime. So now is the time to prepare.
Does CCPA apply to me?
We’re a very small business, you say, and we’re not even based in California! That doesn’t matter. CCPA applies to any for-profit entity doing business with California residents, regardless of physical presence. Due to the state’s sizeable population and economic influence, and the explosion in online retail sales, chances are pretty good that even a mom-and-pop business on the right coast may have some California-based customers.
In addition to the above, CCPA applies to businesses that meet any of these thresholds:
- Has annual gross revenues of more than $25 million.
- Buys, sells or shares personal information of at least 50,000 consumers, households or devices.
- Derives at least 50 percent of annual revenue from selling consumers’ personal information.
It’s pretty easy for even a small business using marketing automation tools to acquire databases and email lists with information on more than 50,000 California residents, when you total up past, current and prospective customers. “Sharing” information can be interpreted to include even basic business actions such as passing customer data from a registration form to your third-party email provider. Moreover, CCPA expands the definition of personal data by including household information from virtual assistants, smart speakers, health trackers, and other devices connected to the Internet of Things, and it can include geolocation and biometric information.
Not-for-profit organizations can breathe a sigh of relief that they generally do not fall under the CCPA umbrella, although there are exceptions concerning corporate-controlled nonprofits. They will also see CCPA impact on donor lists acquired from third-party vendors.
CCPA grants the state the right to impose penalties for non-compliance or violation. While enforcement won’t begin until July, officials are monitoring companies from January 1. “We will look kindly on those that … demonstrate an effort to comply,” California Attorney General Xavier Becerra said in a Reuters interview in December. “If they are not (operating properly) … I will descend on them and make an example of them …”
What’s the minimum I should do?
Businesses will spend a lot of money to adapt to these new regulations. Even very small companies with fewer than 20 employees should expect an average initial cost of up to $50,000. Other eye-popping figures come from an economic impact assessment commissioned by the state attorney general’s office, which assumes 75 percent of California businesses will need to comply.
Big companies should be able to adapt to CCPA fairly easily, because they already have experience in meeting GDPR requirements and have access to in-house legal and compliance teams. But what if you’re a small business that rarely has reason to seek outside counsel and doesn’t have privacy tools already built into your systems? In the short term, you may struggle to interpret and implement the regulations. But the burden should lighten as new data management solutions emerge for compliance, and competition drives costs down.
At the very least, small businesses should assess their CCPA readiness, re-tinker processes regarding data stored and monetized, update web presence, and hold employee training.
- Consult the experts. Even if you believe your business risk from CCPA is minimal, it’s worth the expenditure to seek expert advice to set yourself up for eventual compliance. A simple online search turns up a lot of free legal advice gathered during the lead-up to GDPR and tailored to CCPA.
- Conduct an assessment of the data you collect to reduce inefficiencies. You can reduce your risk by streamlining the data you collect, share and keep. Is the customer data you require absolutely necessary to running your business? What information is gathered on the back end of your website though plug-ins? Make it a new year’s resolution to delete old archives that aren’t required by law to preserve. Maybe your customers don’t care if you send birthday cards to their physical addresses.
- Inventory your employees and third-party vendors. Just as CCPA provides an opportunity to re-evaluate the data you collect, it’s also an incentive to review where your data is stored and who has access to it. Is it done automatically, or on a case-by-case basis? Are there old permissions that can be revoked? Schedule a CCPA review with your employees handling customer data. Ask your vendors about their own CCPA compliance plans, as many are probably storing your data covered by CCPA and will be able to provide you with additional tips and counsel.
With challenges come opportunities
Mandated by law or not, businesses should be transparent with consumers about the data they collect and use, as technology innovations will only make it easier to abuse it. For example, Gartner predicts that by 2024, biometric-tracking sensors combined with artificial intelligence will enable businesses to detect consumer emotions and leverage the data for hyper-personalized advertising.
As the CCPA economic assessment noted, “CCPA will fundamentally change how firms work with personal data” but there is a silver lining. If CCPA “increases consumers’ trust of data protections, it could actually increase the amount of data that consumers are willing to share with firms” which can spur innovation in personalized products and services.
Whether you think CCPA is a burdensome set of regulations or the kick-in-the-pants companies need to better respect customers’ personal data, it’s now in effect. And as California goes, so goes the nation.
William Dummett is the chief privacy officer and assistant general counsel for Genesys (@Genesys), the global customer experience and contact center solutions provider. He ensures CCPA compliance for Genesys products. Contact him on data privacy topics at DataPrivacy@genesys.com or through the company’s Indianapolis office.