Let’s get one thing straight – privacy protection is not going away.  California is the first US State to give its residents a high level of protection and control over their personal information.  It is not going to be the last. And protecting individuals’ rights over their information is a worldwide phenomenon driven by genuine concerns.

The California Consumer Privacy Act of 2018 ‘CCPA’ came into force on 1 January 2020.  Any organisation, regardless of where it is based, which wants to do business in California has to comply with the CCPA and although enforcement will not start until 1 July 2020, there is no ‘safe harbour’ period between now and then.  

Those organisations using the Privacy Compliance Hub to achieve GDPR compliance will find the process of complying with the CCPA much easier.  In turn, this will make compliance with future US state or federal privacy legislation simpler too.  And remember, operating within the parameters set by privacy legislation is not just about avoiding fines and adverse publicity; it’s an opportunity to build trust and engage with your consumers.  

Who the CCPA applies to

Any for profit business anywhere in the world that ‘does business’ in the State of California which:

  • collects personal information of California residents; AND
  • alone or jointly determines the purposes and means of processing consumers’ personal information; AND
  • meets any of the following thresholds:
    • has an annual gross revenue in excess of $25m;
    • buys, receives, sells or shares personal information of at least 50,000 California residents, households or devices per year (‘personal information’ is broadly defined and includes IP addresses so this threshold may be met by the number of California resident website visitors);
    • derives at least 50% of its annual revenue from selling California residents’ personal information (again, ‘selling’ is widely defined to include disclosures not just for money but other valuable consideration although there are exceptions).

The rights the CCPA gives to California residents

California residents are given the following rights over their personal information:

  • Right to know – similar to the GDPR right of access albeit limited to personal information collected in the previous 12 months;
  • Right to delete – similar to the right to erasure/right to be forgotten under the GDPR;
  • Right to opt-out of the sale of their personal information (under 16s need to opt-in); and
  • Right to non-discrimination following the exercise of any CCPA rights – examples of discrimination are charging different prices or providing different levels of service.

The penalties for non compliance with the CCPA

The California Attorney General can issue uncapped penalties of up to $7,500 per intentional violation, or up to $2500 per unintentional violation (which has not been cured within 30 days of notice) for CCPA breaches.  Although the CCPA is not being enforced yet, it is widely thought ‘per violation’ means per California resident affected. Additionally, California residents have the right to sue in certain circumstances. 

How to comply with the CCPA

  • Undertake a personal information inventory – know what categories of California residents’ personal information you hold, where you hold it, how you hold it and who you share it with.
  • Review your processes – make sure you have a mechanism for complying with the right to opt-out of the sale of personal information. 
  • Update your privacy policy –  consumers must be notified of their CCPA rights and how to exercise them and the categories of personal information you collect, sell and disclose.   
  • Take appropriate security measures – California residents may sue organisations if certain personal information is compromised due to failure to maintain reasonable security procedures.
  • Check your relationships with data processors – ensure you have written contracts with data processors drafted to fall within the CCPA exception to a ‘sale’ of personal information.
  • Train all your staff in how to comply with the CCPA – now and continuously.
  • Evaluate your business model – the definition of ‘sale’ encompasses more than providing personal information for money.  Organisations which rely on revenue from targeting advertising, may see that revenue fall if lots of California residents invoke their ‘Do Not Sell’ right.  

A culture of continuous compliance

In our view, the only way to comply with the CCPA is through a cultural shift in your organisation.  At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with the CCPA.