When a privacy notice comes up on a website that’s you’re browsing, do you actually stop to read it in full? Does it make you pause, even if it’s just briefly, before clicking the “I Accept” button?
The standard wording is actually quite lengthy:
First Came GDPR
Most of us now at least know what it stands for, which is General Data Protection Regulation. Maybe we also know that it was enacted back in April of 2016 but did not go into effect until May of 2018. But we should know more about it because in many ways GDPR is the precursor to the new California privacy act. You can read about GDPR in our recent article: “GDPR: How It Affects Our Business and Yours.”
The complete GDPR guidelines are a veritable door stopper in size. The California act may be few pages shy of that.
Then Came the California Consumer Privacy Act (CCPA)
If we didn’t pay much attention to GDPR, because it’s an EU regulation that we erroneously in many cases believed did not apply to us, we had better take heed of the California act. Because that act is almost certainly going to roll out across the United States.
It was signed into law in June (2018) and will go into effect on January 1, 2020. And don’t make the same mistake twice. This act will impact a huge swath of American companies with revenues of more than $25 million (or hold personal data for more than 50,000 consumers, or derive more than 50% of their annual revenue from selling consumers’ personal information).
CCPA in a Nutshell
On Jan. 1, 2020, a California resident will have legal right to ask any big (>$25 million) company in the U.S. what they are doing with their data, and each company will have to respond within 45-days, regardless of where that company is doing business. It’s not the geographic location of the company that counts. It’s the potential interaction that company has with any California resident.
American companies to identify all of the categories of personal information they process relating to California residents and disclose who they sell it to or share it with, upon request. California consumers will also the right to opt out of the processing and selling of their information.
California Goes Even Further than the EU
While it may be hard to believe, in fact, some of the California provisions are more stringent than those imposed by GDPR. For example:
The California Consumer Privacy Act goes further than the GDPR with a broader definition of personal information, which includes tracking technologies and unique identifiers such as IP addresses and device identifiers. This places a greater obligation on American companies to fully identify their personal information estate, especially if they’re collecting information on citizens as they move through their websites and the wider Internet.1
The California Consumer Privacy Act also requires organizations to disclose accurate names and contact addresses for the third parties that they have sold personal information to in the past 12 months, an obligation not included in the GDPR. This is going to give the American people (and Californian journalists) the ability to start mapping out the networks of data buyers and sellers who were previously operating in secrecy.1
Thoughts and Conclusions
A heavy burden is being placed on U.S. (not just California) companies, one they would do well to start preparing for now. Many experts would say that it’s high time. And at least that many have reason to believe that similar action will soon be taken at the federal level.
One scary thought is the potential cost of noncompliance. CCPA provides consumers a private right of action for violations of the law, imposing penalties for violation of up to $750 per consumer per incident. The potential impact of these penalties is significant: a company that suffers a breach affecting 100,000 records with personal information can result in a potential fine of up to $75 million.2
Another scary thought is the army of people who will need to be enlisted and trained to make sure that their companies comply. Unless of course “there’s an app for that!”
For more information, call us at 310.539.4645 or email us at email@example.com. We look forward to speaking with you soon.