Guest Blog by KJ Dearie from Termly
Shortly after the General Data Protection Regulation (GDPR) came into effect, California made its own leap forward in data privacy law by passing the California Consumer Privacy Act (CCPA). In effect on January 1, 2020, the CCPA will grant new data rights to consumers, and establish new data-handling standards for companies.
Here are the key takeaways from California’s newest piece of privacy legislation:
1. Business, Consumer, and Sale Have New Definitions
Tackling CCPA compliance requires you to understand the key definitions under the law. Here are the three biggest terms that companies need to know:
Consumer: A consumer is defined as a citizen or resident of California.
Business: Under the CCPA, a business is defined as an organization that meets one of the following criteria:
- Annually sells, shares, buys, or receives the data of over 50,000 consumers, devices, or households
- Makes 50% or more of annual revenue from the sale of personal data
- Has an annual gross revenue equal to or exceeding $25 million
Sale of data: “Sale,” “sell,” and “selling,” as they’re written in the CCPA, refer broadly to the sharing of consumer data for reward (monetary or otherwise). Whether in writing, orally, or through a formal transaction, if a business disseminates consumer information to a third party in exchange for any “valuable consideration,” that business is selling data.
Evaluate how these terms apply to your operations to gauge whether you need to comply with the CCPA, and how your practices are impacted by the law.
2. Consumers Can Deny the Sale of Their Data
Comprehensively details data collection
Outlines new user rights
Updates annually — starting January 1, 2020
4. Users Can Sue for Loss of Privacy
In 1972, California added “privacy” to the state constitution’s list of inalienable rights. It was unknown at the time that nearly 50 years later, the greatest threat to Californians’ privacy would be the internet. With this development, California laws have been slow to acknowledge how online data plays into the people’s right to privacy. The CCPA seeks to fix that.
Under the law, consumers have the right to sue for loss of privacy — even if no damages are suffered. That means if your business suffers a data breach, a user whose data was compromised (even without physical or monetary consequences) can sue your company through the California Attorney General. Since breaches most often affect multiple users’ data, compromised security can easily lead to class-action litigation. With that threat looming, it’s critical to adopt data protection measures and thoroughly evaluate your data-handling processes to arm your company against potential breaches.
5. Use the GDPR as Your CCPA Guidepost
The CCPA was passed in haste on the heels of the GDPR’s May 2018 institution. Although it was inspired by the GDPR, the bill that was ultimately signed into law is notably less strict than the EU’s comprehensive privacy act.
Still, the CCPA is just a first step in US efforts to adopt the same level of data protection that the EU is trying to enforce. Alastair MacTaggart — the father of the CCPA — has already drafted a proposal for another, even stricter California privacy law. Even more, additional state laws are cropping up around the nation, while proposals for federal data privacy laws continue to make their way to Washington.
With more privacy legislation coming down the pipeline, there’s no such thing as being over-cautious in your compliance efforts. As the GDPR set the new standard for data privacy law, it’s a good idea to look to those requirements for guidance on meeting and exceeding the privacy demands of the CCPA, as well as the data laws still to come.
KJ Dearie is a product specialist and privacy consultant for Termly, where she advises business owners and digital professionals on how to comply with the latest data privacy laws and trends.