Starting on January 1, Americans – or at least 40 millions of them living in California – now have a comprehensive online privacy protection law in place called CCPA (California Consumer Privacy Act). Just like it’s European General Data Protection Regulation (GDPR) counterpart, which was passed in 2018. CCPA will eventually extend far beyond the State of California and reach the entire nation.
Professionals and experts believe the odds are pretty strong that CCPA will be the foundation of privacy regulations in many other states or even U.S. federal online privacy law.
CCPA has established much stronger rights for Californians concerning their online data. For example, California residents now have the power to order any company NOT to SELL their data to any third-party for any purpose without their consent. Californian consumers can also ask just about every company that has collected their data and anybody else with which the company has shared it, to delete the information from the company’s record.
What Can a Business Do?
Under the newly enforced regulation, Californian consumers are entitled to know the categories of information that companies have collected and able to see any specific bits of the data, such as postal address and browsing history. Although CCPA is meant for consumers residing in the state of California, most companies will find it difficult to pinpoint the exact location of every single consumer. It is just the nature of the Internet that no one knows where a user is. Some businesses will have to apply CCPA across the board simply because they cannot effectively distinguish between Californian consumers and those from other states.
Another thing to consider is that Californian consumers have the right to take legal action for unlawful use of their online data in any form, so failure to comply may lead to disastrous consequences on companies’ part. CCPA applies to any for-profit entity which does business in California, collects consumers’ data, and meets any of the following thresholds:
- Generates an annual gross revenue of more than $25 million
- Trades (buys or sells) personal information of at least 50,000 consumers or households, or
- Earns more than 50% of annual revenue from selling consumers’ data
The thresholds may appear to target medium-to-large-sized companies, but many small businesses and even startups can quickly meet one or more of the limits. But then again, this is not the end of the world. Online data privacy regulation has always been a hot topic over the years, and CCPA is the logical first step into the culmination of the discussion. There are several things businesses can do to ensure compliance without sacrificing profitability.
Read the fine print
Unless you have an executive team to do it for you, it is always best to try and understand CCPA yourself. This way, you can make notes of the things you don’t fully comprehend so that you can ask the more experienced legal professional for help later. While you’re at it, pay attention to the following rights granted to Californian consumers:
- the rights to know what personal information is collected about them
- the rights to know whether the personal information is being sold or disclosed to any third-party and who the party third is
- the rights to decline the sale of personal information
- the rights to access the personal information
- the rights to receive equal price and services, regardless of how they exercise their privacy rights
And in the case of loss of personal information due to theft or other causes, California consumers have the right to seek damages.
Understand what personal information your business collects
As obvious as it may seem, many companies are not fully aware of the kinds of personal data their own businesses collect from consumers. Some probably don’t know that their businesses collect data at all. This is most often seen in startups where the focus is mainly on growing the business. Privacy regulation is likely considered an obstacle in growth, but now they cannot just ignore CCPA for the consequences can be severe.
Have your business partners read the law too
If you run a reasonably sized company, chances are you have multiple employees (or departments) to handle various tasks from bookkeeping to marketing, from networking to customer service. To properly implement CCPA and ensure compliance, make sure everyone in the company also reads the bill. Your officers, executives, and legal teams should understand the law better than anybody. Know the potential risk and craft a plan to avoid penalties.
You can read the full text here.
Privacy policy and regulation have the reputation of being the dark sides of business conduct. The reality is that many companies most likely takes advantage of personal consumer data for marketing or downright additional revenue by selling the information to third-party entities such as advertisers. CCPA is trying to get rid of the murkiness and provide a clear path for both companies and consumers to play it fair and square.