The California Consumer Privacy Act – a guide for UK businesses
As California leads the US in implementing its own version of the GDPR, we explain how the two acts differ and what UK companies should know.
Over a year has passed since the General Data Protection Regulation (GDPR) saw the EU hand back control of personal data to consumers. For UK businesses during this period, the initial rush of frantic preparation has gradually given way to greater clarity around the day-to-day implications and implementation of the new rules.
Long before our 2018 deadline, California had already announced its own version of the regulation, known as the California Consumer Privacy Act (CCPA). Its own implementation date of 1 January 2020 now looms, and with less than six months to go, it’s crucial to understand how this new state law will impact businesses on both sides of the Atlantic.
Not only is it considered the strictest data protection law in US history, it is expected to set a precedent for similar acts across other states in coming years.
Will my company be affected by the CCPA?
Regardless of where in the world you are based, if you have a profit-making business with customers or employees in California – and you hold their personal data – then the answer is yes, as long as you meet one of the following criteria:
- Have a gross annual revenue totalling over $25 million.
- Hold the data of more than 50,000 California residents.
- Derive more than half of annual revenues from selling California residents’ personal data.
What does ‘selling’ personal data mean?
Selling is defined as disclosing, disseminating, making available or transferring personal data. In its broadest terms, personal data as defined under the GDPR is any information via which a living individual could be identified.
What are the differences between the GDPR and the CCPA?
The CCPA is far from a direct copy of the GDPR – the two differ fundamentally in a number of ways:
Opting in vs. opting out
The GDPR operates on an opt-in basis, where companies must actively request permission from consumers to retain and use their data. Under the CCPA, not only can any of California’s 40 million residents expressly forbid the sale of their personal data, but they can ask a particular company to disclose how their data is being used. That company then has 45 days to produce a report detailing usage of the person’s data over the last twelve months.
Penalties for breaching the CCPA
Fines differ from the GDPR in not just size but structure. The highest tier of GDPR fine sees companies pay €20 million or 4% of global annual turnover, whichever is greater. Businesses in breach of the CCPA will pay a civil penalty of up to $2500 per violation, or $7500 per intentional violation. Individual consumers may also bring a civil action of $100 to $750 or actual damages, whichever is greater.
Companies impacted by the CCPA
As outlined above, only for-profit companies doing business in California and satisfying certain criteria are regulated under the CCPA. The GDPR, on the other hand, applies to organisations of any size, profit-making or not, that process personal data of EU citizens.
The need for ongoing review
While the GDPR continues to shape new and existing company policies, much of last year’s flurry of activity centred on a single deadline. The CCPA demands immediate action, but also continuous monitoring long after New Year’s Day 2020. Companies will need to track personal data usage on a year-round basis so that the twelve-month record can be provided on request – effectively meaning that data from 1 January 2019 should now be readily available.
Companies will also have to engage in data mapping in order to be able to delete consumer data on request, and continuously evolve their privacy policies according to what personal data they are selling.
What rights do consumers have under the CCPA?
California residents can, once verified, request that a business:
- Discloses what categories and specific pieces of their personal data it has.
- Discloses the categories of sources from which their data was collected.
- Discloses the purpose for which it has collected or sold their data.
- Discloses the categories of third parties with whom it has shared their data.
- Deletes their personal data in its entirety (subject to certain exceptions).
- Does not sell their data (by clicking a “do not sell” opt-out).
The legal requirement to act within 45 days applies to all of these requests.
How can my company comply with the CCPA?
The main ways to comply with the CCPA are, as outlined above, the disclosure and deletion of data upon request. Companies must also obtain the express authorisation of consumers under 16 before selling their data (for consumers under 13, consent must be obtained from their parents).
In addition to this, however, companies must update their privacy policies to include:
- A full description of California consumers’ rights under the CCPA.
- The categories of all personal data collected and sold by the business in the last twelve months.
- The business purposes for which all data is collected.
- The categories of third parties with whom all data is shared.
- A clear link to the “do not sell” opt-out tool.
- Any financial incentives, such as discounts, offered to consumers for permitting the collection or sale of their data.
- At least two methods for submitting disclosure or deletion requests, including a phone number and email address.
What are the consequences of failing to comply with the CCPA?
As with the GDPR, it’s well worth making sure your business is fully compliant, as the consequences of breaching the CCPA go far beyond the strictly enforced financial penalties. Companies may face further legal action, significant reputational damage and erosion of trust in their business as a direct result of non-compliance.
If you have any concerns about preparing your business for the CCPA, it’s worth conducting an IT security audit to see what issues you might need to deal with.
Interested in learning more? Contact us today and we will be very happy to discuss your options.