December 19, 2019
The California Consumer Privacy Act (CCPA) – one of the most comprehensive data privacy laws in the United States – gives consumers more transparency and control over how their online personal information is used.
Effective Jan. 1, 2020, the law will protect about $12 billion worth of personal information used for advertising in California each year, according to an estimate by the Standardized Regulatory Impact Assessment for the CCPA regulations.
It will cost companies, meanwhile, an estimated $467 million to $16.5 billion to comply in the next 10-year period, according to the same assessment.
What does CCPA do?
The CCPA entitles California residents to know what personal data is being collected about them, whether their personal data is sold or disclosed, the categories of third parties with whom their data is shared, and the business purpose of disclosing their personal data.
It also gives California residents the right to prevent the sale of their personal data, access to their personal data, and instruct a business to delete their personal data – as well as protecting them from discrimination for exercising their privacy rights.
Which businesses must comply?
The CCPA applies to any for-profit enterprise that conducts business in California and meets one of the three following criteria:
- Annual gross revenue of over $25 million
- Buys, sells, or receives personal data of 50,000 or more consumers, households or devices
- Derives 50% or more of annual revenues from selling consumers’ personal data
How do businesses comply?
According to the California Department of Justice, businesses affected by CCPA must:
- Track or “map” data collected from consumers,
- Give notice at or before the collection of personal data,
- Develop and maintain procedures and deadlines for responding to requests to opt-out, know about, or delete personal information collection,
- Create a “Do Not Sell My Information” link on their website and mobile applications
- Disclose financial incentives offered in exchange for retention or sale of a consumer’s personal information,
- Maintain records of requests to know, opt-out, or delete personal information collected and the company’s corresponding responses for 24 months to prove compliance.
Although CCPA is modeled after the European Union’s General Data Protection Regulations (GDPR), companies that already comply with GDPR will still need to review and reconcile differences in definitions related to requests for erasure of personal information and requirements for data tracking, or “mapping,” according to the California DOJ.
The price of noncompliance:
Each consumer, through private legal action, is entitled to collect between $100 to $750 for each violation of their personal privacy rights. These relatively modest fines can add up when thousands of consumers are wrapped up in each incident of a violation. The fines are considerably stiffer if the state attorney general brings an action against a company: $2,500 per violation and $7,500 if the violation is “willful.”