Guest Blog by KJ Dearie from Termly
Shortly after the General Data Protection Regulation (GDPR) came into effect, California made its own leap forward in data privacy law by passing the California Consumer Privacy Act (CCPA). In effect on January 1, 2020, the CCPA will grant new data rights to consumers, and establish new data-handling standards for companies.
Here are the key takeaways from California’s newest piece of privacy legislation:
1. Business, Consumer, and Sale Have New Definitions
Tackling CCPA compliance requires you to understand the key definitions under the law. Here are the three biggest terms that companies need to know:
Consumer: A consumer is defined as a citizen or resident of California.
Business: Under the CCPA, a business is defined as an organization that meets one of the following criteria:
- Annually sells, shares, buys, or receives the data of over 50,000 consumers, devices, or households
- Makes 50% or more of annual revenue from the sale of personal data
- Has an annual gross revenue equal to or exceeding $25 million
Sale of data: “Sale,” “sell,” and “selling,” as they’re written in the CCPA, refer broadly to the sharing of consumer data for reward (monetary or otherwise). Whether in writing, orally, or through a formal transaction, if a business disseminates consumer information to a third party in exchange for any “valuable consideration,” that business is selling data.
Evaluate how these terms apply to your operations to gauge whether you need to comply with the CCPA, and how your practices are impacted by the law.
2. Consumers Can Deny the Sale of Their Data
The CCPA development that’s raised the most concern from businesses is the Do Not Sell My Personal Information (DNSMPI) request requirement. Businesses need to provide consumers with a viable means of denying the sale of their data. Notably, links to these request forms need to be displayed clearly on the homepage of your website and within your site’s privacy policy. Note that this “link” can be provided as linked text, a button, or a custom logo.
3. You Need to Update Your Privacy Policy
Privacy policies are already mandated in California by laws such as the California Online Privacy Protection Act (CalOPPA). However, the CCPA introduces new privacy policy requirements. To comply with the CCPA, create a legal privacy policy that meets the following specifications:
Comprehensively details data collection
Already, your privacy policy should indicate what data you collect, where you collect it from, why you collect it, and who it’s shared with or sold to.
Even so, the CCPA requires more thorough disclosures. Notably, CalOPPA-compliant privacy policies need only to disclose the extent of online data collected from users. Under the CCPA, your privacy policy also needs to list all categories of consumer data you collect — including information gathered offline.
Outlines new user rights
Under the CCPA, consumers are given new rights over their data. Among these are the rights to request access to information collected from them, request that information be edited or deleted, and deny the sale of their information to third parties. All of these rights need to be clearly outlined in your privacy policy. Furthermore, you need to specify how consumers can exercise those rights. For example, you can include instructions on how users can submit a data access request, and link out to the appropriate pages or forms.
Updates annually — starting January 1, 2020
These privacy policy updates and others mandated by the CCPA need to be made before the law’s effective date — January 1, 2020. Furthermore, your policy needs to be updated annually to remain compliant.
4. Users Can Sue for Loss of Privacy
In 1972, California added “privacy” to the state constitution’s list of inalienable rights. It was unknown at the time that nearly 50 years later, the greatest threat to Californians’ privacy would be the internet. With this development, California laws have been slow to acknowledge how online data plays into the people’s right to privacy. The CCPA seeks to fix that.
Under the law, consumers have the right to sue for loss of privacy — even if no damages are suffered. That means if your business suffers a data breach, a user whose data was compromised (even without physical or monetary consequences) can sue your company through the California Attorney General. Since breaches most often affect multiple users’ data, compromised security can easily lead to class-action litigation. With that threat looming, it’s critical to adopt data protection measures and thoroughly evaluate your data-handling processes to arm your company against potential breaches.
5. Use the GDPR as Your CCPA Guidepost
The CCPA was passed in haste on the heels of the GDPR’s May 2018 institution. Although it was inspired by the GDPR, the bill that was ultimately signed into law is notably less strict than the EU’s comprehensive privacy act.
Still, the CCPA is just a first step in US efforts to adopt the same level of data protection that the EU is trying to enforce. Alastair MacTaggart — the father of the CCPA — has already drafted a proposal for another, even stricter California privacy law. Even more, additional state laws are cropping up around the nation, while proposals for federal data privacy laws continue to make their way to Washington.
With more privacy legislation coming down the pipeline, there’s no such thing as being over-cautious in your compliance efforts. As the GDPR set the new standard for data privacy law, it’s a good idea to look to those requirements for guidance on meeting and exceeding the privacy demands of the CCPA, as well as the data laws still to come.
If your company isn’t CCPA-compliant yet, it’s time to get started. For a better idea of how to meet both CCPA and GDPR requirements, check out the CCPA vs GDPR infographic below:
https://termly.io/resources/infographics/gdpr-vs-ccpa/
KJ Dearie is a product specialist and privacy consultant for Termly, where she advises business owners and digital professionals on how to comply with the latest data privacy laws and trends.