Many believe the United States will, in time, adopt data privacy regulations similar to those in Europe and Canada. Consider the California Consumer Privacy Act (CCPA), which grants residents of California various rights regarding any personal information collected about them by a business.
CCPA went into effect on January 1, 2020, with the enforcement of these regulations taking place as soon as six months from then. How can your firm comply with this act and prepare for increasingly stringent data privacy regulations?
Read the following list to get a high-level overview of the CCPA to see if how you collect data in your CRM or time and billing system puts your firm at risk of non-compliance.
1. What is it?
The California Consumer Privacy Act (CCPA) is a bill meant to provide additional protections for residents of California concerning their data privacy.
What are the intentions of CCPA?
To enable residents to know what data is being collected about them, specifically:
- To know if their data is being sold to third parties or being disclosed to third parties, even without a fee
- To be able to say no to the sale of their data
- To be able to access the data that is being collected about them
- To request that a business collecting personal data about them delete that data
- To ensure that if they exercise their data privacy rights, they are not discriminated against
2. To whom does CCPA apply?
CCPA applies to any business, including not-for-profit, that collects consumers’ personal data and does business in California. In addition, the business must also satisfy at least one of the following three criteria:
- Annual revenue greater than $25 million
- Possesses data on more than 50,000 individuals, households, or devices
- Earns more than half of its revenue from selling the personal data of consumers
4. If CCPA applies to you, what are your responsibilities?
- Implement processes to obtain parental/guardian consent if your data collection includes minors under the age of 13 and the affirmative consent of minors between the ages of 13 and 16
- Include a link on your home page to enable consumers to express their right to say no to the sale of their personal data
- Publicize the methods by which consumers can start a data access request, which should as a minimum include a toll-free telephone number
- Update all of your privacy policies to reflect your responsibilities and accountabilities under CCPA and the rights of consumers under CCPA
- Do not re-solicit consent from a consumer within 12 months of the consumer opting out
5. What sanctions are in place if you breach CCPA?
Other organizations can enforce the opt-out rights of consumers, but the more important sanction is that companies that are subject to data breaches can, through class actions, be compelled to pay compensation in the amount of between $100 and $750 an incident or actual damages to California residents. The courts may also rule to award additional relief or damages at their discretion. Furthermore, fines of $7,500 for each intentional violation and $2,500 for each unintentional violation can also be levied.
6. What is personal data?
Under the terms of CCPA, personal data is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. An additional caveat identifies, relates to, describes, or is capable of being associated with a particular individual, including, but not limited to, his or her name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
7. Is the use of publicly available data affected by CCPA?
CCPA does not consider publicly available data (such as on websites, social media, etc.) as being personal data and so it is not covered by CCPA. It is important to note that CASL and GDPR differ significantly in their position as it relates to this. CASL permits the use of publicly available data to imply consent, provided that there is not a statement on the source that expressly contradicts this; therefore, most data processors choose to avoid this permission as it is difficult to police reliably. GDPR does not consider the fact that data is publicly available as consent either implied or expressed, as each data process must be separately and individually assessed and justified.
8. Will other states follow suit?
There is a general consensus that the legislation being passed in California will start a domino effect across the states. However, whether or not other states introduce similar legislation is not really the point. The experience in Europe and Canada, which have had data privacy legislation for some time, is that clients expect businesses to have a respect for their data in terms of how they protect it, and so good practice must be for all businesses to apply the rules outlined in CCPA.
9. What do you need to do next?
The first step is to establish whether or not CCPA applies to you. Following that, it’s critical to understand where your data is and how you are using it. You will, of course, immediately think about CRM, but CCPA covers other data sources too, for example, your time and billing system.
10. How can you learn more?
Reach out to a trusted CRM consultant with specialized expertise in data management, like Wilson Allen! If you want to find out how we can help, then please contact us. You will also find the following online resources useful:
- California Legislative Information: Assembly Bill No. 375
- Forbes Technology Council: How Will California’s Consumer Privacy Law Impact The Data Privacy Landscape?
- MIT Technology Review: California’s new online privacy law could be huge for the US