Tag Archives: CCPA

January 1, 2020 – CCPA

The California Consumer Privacy Act (CCPA) will be enforced on January 1, 2020. We were nervous when the GDPR (General Data Protection Regulation) came into play, and that only governs the use of E.U. citizens’ data. The California law applies to personal data on any state resident, regardless of the location of the marketer. Many believe this is only the first of many states to follow.

Companies that are not compliant with CCPA are subject to hefty monetary penalties though a recent study of US Brands reflected that 56% of businesses surveyed don’t believe they will be compliant by the January 1 kick-off.

In the survey, many businesses sited the cost to become compliant as a major obstacle and equal to the price of a full-time employee. Some companies feel their business isn’t big enough to be subject to the law, or don’t think it applies to them.

To comply with CCPA, marketers must be able to respond to Californians’ requests about their personal data which include:
• Knowing what personal data is being collected
• Can request details on how their data is being processed
• Can access their personal data
• Can request to have their personal data deleted
• Know whether their personal data is sold or disclosed to third parties
• Decline or opt-out of the sale of their personal data

Many believe that the CCPA is complicated, and it is poorly written, leaving a lot of the verbiage open to interpretation.

The main goal of the law is to regulate the collection and sale of Personally Identifiable (PI) consumer data to third parties and service providers. You do not need to get paid for the data. If you disclose it to another party, it is considered a transaction. Using outside vendors to help manage your data is not a problem, because you are the controlling party.

Now, individuals can tell you to stop disclosing their data to others; and you must comply. One cannot deny goods or services to anyone because of their data opt-out and that is making for a slippery slope. In order to know you are not supposed to have data on an individual, you must have that individual in your database. And since it is likely you must have data on an individual in order to do business with him or her, how do you conduct business with data exceptions? One writer compared it to The Eagles Hotel California tune, “you can check out any time you like, but you can never leave.”

 

 

 

CA Consumer Privacy Act

Starting January 1, California’s Consumer Privacy Act (CCPA), will require all California for-profit businesses to disclose to consumers upon request the specifics of the personal information collected and its sources. Consumers can also require companies to delete personal information, refrain from selling it, and pursue legal action for failure to comply.

As the start date for the law draws near, giants like Google, Amazon, and Facebook, are working to help push through amendments that will make the law easier on businesses.

California is the first government in the US to regulate how businesses retain and use electronic consumer data. The legislation is the first response to the European Union’s GDPR, enacted last year. The General Data Protection Regulation allows the EU the power to fine companies that violate its consumer privacy protections. Google was slapped with a $57 million fine for failing to disclose data collection tactics to consumers, and Facebook is under several investigations from the GDPR governing body.

Personal information protected by CCPA include:

    • search and browsing history
    • geolocation data
    • IP addresses
    • email addresses
    • purchase records
    • records on consumption histories and tendencies
    • professional and employment information
    • educational information
    • audio, visual and thermal information

Fines for non-compliance range from $2,500 (if unintentional) or $7,500 per violation (if intentional) for companies that fail to cure alleged violations within 30 days.

As efforts to pass federal privacy legislation in Congress have languished, states have stepped up their pace. According to the National Law Review, five other states — Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico — have introduced CCPA-like privacy bills as of March 2019. Another three states — New York, North Dakota and Washington — have put forth consumer privacy bills to protect personal data.

A federal bill introduced in the Senate in December, The Data Act of 2018, remains in committee. As proposed, among other protections, the legislation would prevent “online service providers” from using individual identifying data in any way that would benefit the online service provider to the detriment of an end user.