Earlier this week, the California Consumer Privacy Act came into force. Although perhaps somewhat overshadowed by the ongoing Covid-19 pandemic, this regulation is a significant moment in data privacy in the US.
The regulation was officially brought in on 1 January, but was followed by a six-month period in order for businesses to become compliant.
What is CCPA?
According to the State of California Department of Justice, the act “grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect, as well as additional protections for minors”.
It applies to businesses that collect the data of more than 50,000 California residents yearly, have an annual gross revenue exceeding of more than $25m, or earn more than half of their annual revenue from selling consumers’ personal data. The regulation applies to for-profit organisations both inside and outside of California.
In terms of sanctions, organisations can be fined up to $7,500 for each intentional violation, and $2,500 for unintentional violations. If a company suffers a data breach, it is liable to pay between $100 to $750 per California resident and incident.
“Privacy first must be the mindset for organisations”
CCPA is regarded as the most sweeping privacy regulation in the US to date, but there are fears that businesses may not be ready. According to research by Ethyca, 56% of respondents said they were “unprepared for new privacy regulations coming in around the globe”.
Dan Clarke, president of IT services company IntraEdge, told Verdict that it is essential that privacy is at the forefront for all businesses:
“CCPA fundamentally means a business has to consider privacy as intrinsic to the data in their business. Enforcement today will be an end to the “wait and see” mentality that businesses have adopted regarding the CCPA. Companies will need to implement a mechanism to allow consumers to exercise their privacy rights if they have not already done so. We expect to see actions quickly from [Attorney General of California] Xavier Becerra, especially against those who are flagrantly non-compliant.
“Privacy first must be the mindset for organisations moving forward. At a minimum, companies must be visible in their compliance by providing consumers with a prominent “Do Not Sell My Information” link (where applicable) on their website, include a mechanism to make requests, an opt-out of the sale of data. Keep in mind, if a customer can’t easily determine how to exercise their rights, it’s much easier to enforce a fine for non-compliance.”
“California residents are setting the bar very high for the rest of the US”
With the EU’s General Data Protection Regulation (GDPR) coming into force in 2018, many have asked whether federal privacy law could be introduced in the US. This has not yet materialised, but several states are bringing in their own regulations.
Although comparisons between CCPA and GDPR are unavoidable, there are some key differences. Some have criticised a lack of GDPR enforcement, with obly one in three organisations are fully compliant according to research by Capgemini. Clarke believes that the enforcement of CCPA could be more aggressive:
“In comparison, the regulations are similar in concept, but CCPA has unique elements, especially when you dive into the details. In addition, while fines were slow to start in GDPR, the enforcement mindset of Xavier Becerra is likely to set a more aggressive tone to his build-up rhetoric. He has made it clear that the pandemic will not extend enforcement as companies should have been in compliance since January 1, 2020, and enforcement starts today.”
One of the concerns surrounding consumer privacy regulation in the US is the adoption of different rules for individual states, which could create a complex regulator environment. Clarke believes that other states could soon adopt their own similar privacy regulations, but the pandemic has slowed progress:
“Fifteen other states have pending legislation. California residents are setting the bar very high for the rest of the US, as Alexander Mactaggart has already submitted an amendment to the CCPA in the California Privacy Rights Act (CPRA), which is confirmed to have made the November 2020 ballot. Other states are looking to pass similar privacy laws, but due to the pandemic, it has been slow-moving.
“This could create a patchwork of potentially different laws but is highly likely to be the reality until we get Federal legislation. Adopting a privacy-first mindset can be challenging to adopt with state-specific regulations. Considering each state could have various sections associated with state-specific privacy laws, businesses may be slow to adapt to new privacy changes with so much complexity among state regulation. Privacy regulations are fluid, and they will evolve, which is why implementing an automated platform that can scale with global and local privacy is necessary to comply within the privacy landscape.”