Companies are bracing for the Jan. 1 enactment of the California Consumer Privacy Act (CCPA).
Next year "will be a year that accentuates the impact that data collection has on consumers," Mike Anderson, co-founder and CTO at Tealium, told CIO Dive.
In 2018, companies got a taste of sweeping data privacy regulation with General Data Protection Regulation (GDPR), if they had customers in the European Union. The CCPA was a response to GDPR, but there are distinct differences, including:
-
Regulated parties: "Data controllers" under GDPR are those who process personal data whether or not that processing takes place in the EU, according to Baker Law. The CCPA applies to any for-profit organization that either exceeds $25 million in gross revenue, acts on personal information of at least 50,000 consumers, or earns a minimum of 50% of its revenue from selling personal data.
-
Protected consumers: GDPR applies to data subjects, or any persons related to personal information. The CCPA applies to California-based consumers, including those "domiciled" in the state but living elsewhere temporarily.
-
Applicable data: GDPR and the CCPA have relatively similar protocols for what data is protected, but the CCPA includes information traced back to households or devices.
-
Right to opt out: GDPR does not explicitly give consumers the right to opt out of third-party sale of their data. The CCPA gives the option, requiring companies to have a "do not sell my personal information" link clearly shown on their websites' homepage, according to Baker Law.
-
Processing restriction: GDPR gives consumers the right to restrict data processing whereas the CCPA has no mention of it other than the right to opt out.
-
Penalties: Both regulations levy fines, but unlike GDPR, the CCPA gives companies a 30-day period to "cure violations," according to Baker Law. GDPR fines can reach up to 4% of a company's annual revenue. Depending on the offense, CCPA violations can go up to $7,500 per impacted individual.
Not all companies will have the ability to extend the CCPA's data rights to their non-California consumers too, like Microsoft plans to do.
Under the CCPA, Californians are allowed to pursue civil suits for breach-related statutory damages, Peter Duthie, co-CEO and chief architect at Ground Labs, told CIO Dive. "Businesses should fear the new individual mandate, as that has the highest fine potential."
With heftier fines on the horizon, here are three CCPA to-dos before the New Year:
1. Don't look at the CCPA in isolation
California set the tone for the rest of the county when Governor Jerry Brown signed the bill, proposed by a wealthy real estate developer, into law in 2018.
The CCPA will likely become the "de facto standard" for other states developing data privacy legislation, said Duthie.
Now-dead bills in Connecticut and North Dakota, and pending bills in New York and Maryland, echo the CCPA.
While industry waits on Congress for an all-inclusive federal law, states will look to the CCPA for guidance. Research from customer data platform provider Tealium suggests companies craft internal policies, encompassing likely features of future regulations.
Transparent and concise language, equipping consumers with the tools needed to act on their data, and a flexible model for adapting to future demands are all components of an effective privacy policy, according to Tealium.
2. Know the 'new' definition of privacy
With more state laws cropping up, myriad definitions for the same "behaviors" will arise.
"Although CCPA compliance is quite similar to the GDPR and is built from the same structure, there are differences that companies will need to address in order to fully comply without issue," said Anderson.
Having a "privacy manifesto" draft gives companies leverage in CCPA compliance and data collection, said Anderson. It will also help companies lean into following Microsoft's universal compliance decision.
However, there are restrictions to general application of the CCPA. Differences in regulations, like the CCPA and GDPR, are "compounded when there are multiple regional jurisdictions to consider," said Duthie.
"It may not be practical for an organization to comply with every regulation globally, at least without the assistance of globally aware software capable of dealing with multi-region personal data," he said.
3. Revisit the current data management strategy
Consumers don't have time to read the fine print or opt-out of data actions every day. Consumers trust businesses until something goes wrong.
Almost all surveyed consumers, 97%, are somewhat or very concerned about their data's protection, according to Tealium. Half of consumers say they are uninformed about how companies use their data.
To alleviate those concerns, companies can adopt CCPA features into existing privacy policies and security processes. Revisiting a personally identifiable information management strategy could set companies up to "handle any nuances in state level regulations until a federal standard comes into play," said Duthie.
Only 15% of consumers said they would forgive a company for data-use violations, according to Tealium.
"Companies should take Microsoft's evolution as a motivation to offer the same rights as soon as possible," said Anderson.
The CCPA is giving companies, who don't service California residents, the chance to get ahead of future privacy legislation.
