The California Consumer Privacy Act (CCPA) sets rules that make it easier for consumers to control their personal identifiable information (PII). Initially passed in 2018, CCPA has received some updates over time. As of July 1, 2020, California’s Attorney General will have the ability to enforce rules defined by the privacy act. Companies that do not follow CCPA could face steep penalties.
CCPA has some similarities to the European Union's GDPR, but there are also differences that make this an important topic for business leaders to understand.
Table of Contents:
Rights Granted by CCPA
CCPA takes specific actions to give California consumers better control over their private information. For example, CCPA establishes the right to:
- Know what information companies collect, use, share and sell
- Delete personal information collected by businesses
- Prevent companies from selling their personal information
CCPA also includes a non-discrimination clause that protects them when they exercise their CCPA rights.
What CCPA Considers Personal Information
CCPA uses a broad definition of “personal information.” According to CCPA, personal information includes:
- A person’s name and aliases
- Postal addresses
- Social Security numbers
- Account names
- Driver’s license numbers
- Passport numbers
- IP addresses
- Records of personal property, purchases, and buying trends
- Geolocation data (such as where your phone says you are)
- Education and employment history
- Internet browsing and search history
- Biometric information (such as the data a FitBit collects to help you reach fitness goals)
CCPA also protects any information pertaining to your voice, temperature, and even your smell.
New CCPA Obligations for Businesses
CCPA goes a bit further than giving Californians more control of their personal data. It also establishes new obligations for businesses. These obligations include:
- Notifying consumers before collecting their data
- Creating processes that make it easy for consumers to opt-out of data selling
- Responding to consumer requests within reasonable timeframes
- Verifying the identities of consumers who make requests
- Disclosing the financial incentives for selling personal information
California expects that companies will spend between $467 million and $16,454 million between 2020 and 2030 complying with CCPA.
Companies That Must Follow CCPA Rules
Not all companies have to follow the rules established by CCPA. Though the regulations are not entirely clear on this point at the time of this writing, the law suggests it applies to California-based businesses, as well as businesses that conduct online transactions with California citizens, have employees based in California, or have another significant connection to the state. The company must also meet any one of the following criteria to be subjected to CCPA regulation:
- Have annual revenues over $25 million
- Earn at least 50% of their revenues by selling personal information
- Buy, receive, or sell personal information from at least 50,000 consumers, households, or devices
Companies that work with the personal information of 10 million or more people (see revisions on page 23) will need to follow additional rules. For example, they will have to keep track of the number of requests they receive from consumers each year, and post the information on their websites.
CCPA Copycat Legislation State-by-State
California isn’t the only state that wants to start giving consumers more control over their personal data. Bills similar to CCPA have already been submitted in several states, including Maryland, Hawaii, New York, and Mississippi.
Hawaii's SB418 has the potential to give the state's residents even more protection than CCPA. The bill doesn't define "business," so it could apply to any company that collects data about its users. Currently, though, the bill does not provide any penalty guidelines for businesses that disobey the law.
Maryland's SB613 is almost an exact copy of CCPA with a couple of noteworthy exceptions. Maryland's bill would give consumers more control over all of their personal data. Unlike California, where individuals can tell businesses to delete information that they have provided, Maryland would give consumers the ability to tell businesses that they must delete all of their personal data, regardless of where the information comes from. The Maryland bill does not, however, give individuals the right to sue companies for violations.
SD341 in Massachusetts will have the same effect as CCPA. Massachusetts, however, is working to use clearer language that will help residents and organizations understand how to follow privacy laws.
Mississippi failed to pass HB1253 in 2019, but a similar bill will likely get introduced in the near future. True to the spirit of "copycat legislation," it even went so far as to lift exact phrases from CCPA.
New Mexico's SD176 would establish the same laws as CCPA. The New Mexico bill, however, has a more structured framework that should make it easier for everyone to understand their rights and responsibilities. It also includes a provision for the state to update the regulations annually.
New York's S00224 doesn't prevent companies from gathering personal information. It would, however, force companies to disclose what types of data they collect before they can share the information with third parties.
North Dakota's HB1485 doesn't go nearly as far as CCPA, but it does give residents more control over their personal data by requiring companies to get consent before sharing information. Businesses would need to send requests via mail or email.
Rhode Island's S0234 looks very similar to CCPA. It does not, however, make the state's Attorney General a regulatory enforcer, which is the biggest difference between Rhode Island's approach and CCPA.
Washington and Texas have failed to pass CCPA-like bills. It’s unlikely that these states will drop the matter, though. Each year will probably bring updated bills designed to attract more votes from state legislators.
Benefits of Compliance
Lawmakers created CCPA to give consumers more power. CCPA compliance will force a lot of companies to spend money on updating their technology, but it will also bring businesses some benefits.
First, it will create a more open culture between businesses and their customers. Giving more control to consumers may create short-term financial damage, but it will also force companies to adopt improved transparency, which will make it easier for the consumer to trust them. Ultimately, consumers will like this change, and they will feel more attracted to companies that do a good job showing how they comply with CCPA.
Second, CCPA’s enhanced security requirements will protect organizations from data breaches. Data breaches do enormous damage to brands. In 2019, the average global cost of a data breach was $3.92 million. In the United States alone, the average was $8.19 million. It makes more sense for a company to invest in CCPA compliance that will help protect its brand’s reputation than to lose money in the years after a data breach.
Third, complying with CCPA makes it easier for you to tap into California’s enormous consumer base. California has a population of nearly 40 million people. One study shows that 90% of California’s households used the internet in 2017 (the most recent data available). Complying with CCPA, therefore, means that you can reach about 36 million potential customers without facing penalties.
Finally, as more states plan to adopt CCPA copycat laws, you might as well start following the guidelines now. Eventually, CCPA will affect your business's ability to succeed. It makes sense to prepare before it's a problem instead of waiting for other states to put pressure on companies.
Penalties for Non-Compliance
Civil penalties for failing to comply with CCPA standards include fines starting at $2,500 for unintentional non-compliance and $7,500 for intentional non-compliance. Companies can avoid penalties by fixing non-compliance issues within 30 days of notification.
These fines may not seem that high for a company that generates at least $25 million in revenue per year. However, the more significant financial consequences may come from California residents. Individuals can file civil suits against companies that don’t comply with their requests or follow CCPA guidelines. Even if a company avoids government fines by fixing non-compliance issues, consumers can still sue the organization.
While $7,500 may not mean much to a multi-million dollar corporation, the cost of hiring lawyers and settling lawsuits with consumers could be significantly higher, to say nothing of the bad PR it will generate. Suddenly, the financial burden of non-compliance becomes much more severe.
How to Comply With CCPA Guidelines and Protect Your Business
Depending on your industry, you may have to do several things to comply with CCPA guidelines and protect your business. Some industries have it easier than others. For example, if you develop mobile games, you can probably align your business model with CCPA by adding a button that informs users of their rights and asks them if they want to opt-out of data sales. You will also need to add a way to verify the user’s identity.
Things get much more complicated in industries like finance and healthcare. In these areas, you have to take special precautions to make sure that no one has access to the personal information of your customers. Any data leak could lead to fines and civil suits that cost millions of dollars.
Whatever your industry, there are two things you can do right away to help your compliance standings.
1. Choose Secure Databases and Data Warehouses
You need to think about where you store your data. The more secure your databases and data warehouses are, the easier it becomes to comply with CCPA.
Ideally, you should choose a database or data warehouse that:
- Meet physical security standards that prevent unauthorized people from accessing servers
- Use firewalls to keep out hackers
- Use robust data encryption to make it nearly impossible for unauthorized people to understand the data
- Maintain control over who has access to various levels of your data
- Perform frequent audits to test for security flaws and suspicious activities
Good security can’t guarantee your data’s protection, but it will dramatically lower your risk of falling victim to bad actors or human error.
2. Choose ETL Tools That Take Data Security Seriously
Make sure that the ETL tool you choose meets the highest levels of security. First and foremost, your ETL solution should use encryption that prevents anyone else from reading as it moves from a data source to its destination.
Tools should also have high standards for user verification. Demand strong passwords and the option to set various levels of authority. Your employees only need access to the data that pertains to their jobs. They shouldn’t have access to all of the information you store.
Integrate.io and ETL Security
Companies that collect a lot of data need an ETL platform so they can extract, transform, and load all that information. If you have multiple data formats, for instance, you need an ETL solution that will transform the information before loading it into your analytics app.
Integrate.io complies with all standards established by CCPA. Our no-code/low-code ETL platform even gives you field-level encryption. Clients can create their own encryption keys to mask data as it moves through Integrate.io pipelines. With field-level encryption enabled, not even Integrate.io’s admins can view the data that you extract, transform, and load.
CCPA requirements will probably change over the years, and more states and countries will adopt privacy procedures. But no matter what the regulation, Integrate.io remains committed to giving users the highest level of security so they can stay compliant and avoid the expense of fines and lawsuits. If you need a CCPA Data Processing Addendum from your representative or would like to view the Integrate.io platform in action, contact us today.