- January 28, 2020
- Tags: Federal, Financial Services, Healthcare, Insurance, Legal, Managed Service Providers
article by: Ron Frechette, The Cyber Coach
There’s been a lot of hype about the California Consumer Privacy Act (CCPA). Many of our small-midsize business clients are asking how this will affect the way they conduct business and how it will affect the future of data privacy laws at the state and federal government levels.
This law was created due to consumer privacy concerns surrounding the collection, use, and protection of personal information and the increasing role personal data plays with today’s Digital Age business practices. I get it! It’s a bit concerning when a flashing Duncan Donut’s ad pops up on our mobile phone as we are driving down the highway and by chance a Duncan Donut’s happens to be at the next exit. The focus of this month’s article is to help our readers understand the law, what small-midsize businesses need to do to comply, and how it will affect the future landscape of Data Privacy laws.
The CCPA Defined
The CCPA, effective as of January 1, 2020, is the first law in the US that follows in the path of the European Union’s General Data Protection Regulation, commonly referred to as… GDPR. The law applies to “for profit” businesses in California that collect and process the personal information of California residents. The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Talk about ambiguous!
Who Does the CCPA Apply To?
The CCPA applies to businesses, which are defined as for-profit organizations that collect personal information about residents in California, determine the purpose and means of the processing, does business in the State of California, and that meets ONE or more of the following criteria:
- Annual Gross Revenue is over $25m
- An organization receives or shares personal information of 50,000 or more consumers, households or devices (this can add up rather quick)
- A business receives at least 50% of annual revenue from selling California consumers’ personal information
It is important to note that a physical business presence in California is not required to be subject to this law. In Florida especially, many California residents visit our state, being a popular vacation destination.
How to Comply with CCPA
There are specific Consumer Rights outlined in the CCPA that spell out what you need to do to comply.
Right to Notice – Businesses must inform consumers which categories of personal information will be collected and how it will be used. Businesses must include in their privacy policies, including descriptions of consumer rights and how to exercise them.
Right to Access – Consumers have the right to request access to personal information that a business has stored about them, and the business is required to provide details about the information that was collected.
Right to Delete – Consumers can request to have their personal information deleted, and businesses must comply with their requests.
Look-Back Rule – When a consumer makes a legitimate request for access to their personal information, organizations are required to provide records covering the 12-month period preceding the date of the request.
In a nutshell, here is what SMBs need to do to comply:
- Scan your website to detect and categorize cookies and other tracking technologies on your website.
- Customize a cookie banner and preference center and include a “Do Not Sell” link to enable users to opt-out of advertising and data collection cookies on your website.
- Automate the intake and fulfillment of California consumers’ requests to access or delete their personal information.
- Track “Do Not Sell” requests by various unique identifiers, such as account number or device ID, and respond within 45 days.
CCPA Fines & Penalties
Violations of the CCPA are subject to enforcement by the California Attorney General’s office. Businesses have 45 days to respond to consumer requests. Any damages that occur due to a breach are limited to $750 per consumer, per incident. The CCPA allows businesses a 30-day window to amend any violations, as long as they can prove they have been resolved and that no more will occur. Otherwise, violators might face penalties of up to $7,500 for each intentional violation.
The Future of Data Privacy Laws
The passing of the CCPA has prompted several other states, including Florida, to begin enacting legislation to impose similar Data Privacy Laws. The Florida privacy companion bills were introduced in both the state’s Senate (SB 1620) and House of Representatives (HB 963). If enacted, the law will become effective in July 2020. A US Federal Privacy Law is also under consideration. The House Energy and Commerce Consumer Protection and Commerce Subcommittee Chairwoman Rep. Jan Schakowsky (D-IL) is leading the charge of drafting a bill that could be signed into law over the next year. This would provide the Federal Trade Commission more authority to enforce data privacy laws and impose fines and penalties to those businesses found non-compliant.
As the Data Privacy legal landscape evolves, it is imperative that SMBs are made aware of these changes. Taking a proactive stance will significantly mitigate the risks of fines, lawsuits, and brand damage. Until next month, wishing you a safe and prosperous journey in cyberspace!