The California Consumer Privacy Act: What You Should Know

Kayla Matthews

The California Consumer Privacy Act

GDPR or the European Union’s General Data Protection Regulation effectively altered the way that businesses interact with European citizens. It doesn’t matter whether a company is located within the boundaries of Europe or not — if it does business with citizens protected by the regulation it must follow the set guidelines.

You could say it threw quite the curveball at the business world as it continues to ruffle up a few feathers. Well, that’s about to happen again thanks to California’s Consumer Privacy Act.

Despite being passed in June 2018, the bill doesn’t go into effect until January 2020. Like GDPR, that gives businesses time to prepare and ensure they are compliant. It’s likely, however, that many are not ready for what it entails.

What Is the Consumer Privacy Act?

As the name implies, CCPA or the California Consumer Privacy Act is designed to protect the rights of California citizens when it comes to digital content and data. It deals with the collection, storage, security and sharing of all consumer-related information.

The bill allows consumers to request access to all the information a business has collected about them. More specifically, businesses must disclose what categories and pieces of information they have, how they acquired said information, what they use it for and who they shared with. In addition, the sharing and selling of information for business purposes must be identified and explained in full.

Moreover, businesses must purge data upon request, provide controls or opportunities to do this to its customers, and direct third-parties to delete the personal records and information too.

What Are the Business Obligations?

The simple description above doesn’t necessarily outline the obligations and requirements of the average business, so here they are broken down in more detail.

Businesses must do the following:

  • Provide opportunities to request details about personal records and data, along with controls to purge said data.
  • Disclose, in full, the pieces and datasets of information that the business has collected and stored.
  • During or before collection, businesses must inform consumers about what they gather and why.
  • Upon request, all stored data must be disclosed, for free, no more than twice in a 12-month period.
  • Retain personal information collected only for a single, one-time transaction if it is not sold or stored — data must be purged completely afterward.
  • Reidentify, link or disclose additional data that, in the usual course of business, is not maintained in the same manner as personal information.
  • Opt-out opportunities should be made available to prevent the collection of personal information before service is rendered.
  • All consumers have a right to equal service and pricing even if they exercise their privacy rights and decline data collection.

The next question is what companies this regulation applies to. For CCPA to apply, businesses that operate in California directly or collect personal information from its residents — even outside the state — their devices or their households, these criteria must be met:

  • Businesses that have annual gross revenue exceeding $25 million.
  • Any company that buys, sells or shares the personal information of 50,000 consumers, households or devices annually.
  • Businesses that earn 50% or more revenue as a result of selling customer information.

Furthermore, it should be noted that just because a business is prepared for or in compliance with GDPR does not mean they are automatically doing so for CCPA. There are similarities, but they are two different regulations and should be treated as such.

What Happens With Non-Compliance?

Businesses have a period of 45 days to respond to consumer requests for data. In addition to disclosing information and providing deletion opportunities, a business must allow consumers to opt-out of data collection processes beforehand.

For non-compliance and violations, consumers can sue the business for any wrongdoing, and further fees and monetary fines may incur too. Therefore, non-compliance can be incredibly damaging to affected businesses.

The reality is that most companies are not ready for this regulation to go into effect. But it certainly won’t be the last as more pressure is put on policymakers to protect the rights of consumers in the wake of cybersecurity threats and many wrongful applications of personal information.

The state of Georgia, for example, is working on a similar bill that will protect its residents. It won’t be long before other states and municipalities follow suit. Other countries started to weigh the idea, India serving as the prime example.

It is long overdue in many cases and will force businesses to handle consumer information and content properly. But it’s also coming much faster than perhaps anyone expected, which unfortunately means many companies will be unprepared.

It’s likely we will see a wave of non-compliance and violation proceedings as a result, at least over the next few years.

By Kayla Matthews

Episode 6: Cloud Migration: Why It’s More Important Than Ever

The Importance of Cloud Migration Moving fully to the cloud is still a concern for ...

Episode 5: How the Pandemic is Changing Business and the Cloud

An Interview with Ed Dryer of Steadfast With the global pandemic wreaking havoc on business ...

Episode 3: The Bottomless Cloud – An Interview with David Friend of Wasabi

Why data is not “the new oil” and why “cloud” means more than we think ...
Jen Klostermann

Telemedicine to medical smartphone applications

Telemedicine to medical smartphone applications With the current and growing worldwide concerns regarding the Coronavirus (COVID 19). Telemedicine is more important now than ever. What ...
Machine

Machine Learning: The Importance of Actionable Data

The Importance of Actionable Data How awesome would it be to know for sure exactly what your customers want to see from your business? Imagine ...
Johan

Why the digital infrastructure is a matter of national interest!

Digital Infrastructure National Interest When the Internet was born, it promised a form of democracy and guarantee that everybody could be part and setup their ...
François Amigorena

SMB’s perceptions of Cloud Storage Security

Data Storage Security The use of cloud storage is on the increase. However, SMBs are still suspicious about it. Actually, 61% of SMBs believe their ...
Suraj Gupta

The Rise of the “Ecosystem of Ecosystems”

Ecosystems Emergence Even during these uncertain times, once fierce competitors are now collaborating and co-existing to not only survive, but thrive. Salesforce is partnering with ...
Bruce Guptill

Resolving IT-Finance Asynchronization on Cloud Improvements

Resolving IT-Finance Asynchronization While CIO-CFO communications and alignment may never seem better, what is considered to be C-level, strategic “alignment” increasingly obscures realities that keep ...
Patrick Joggerst

Session Border Control as a Service: Faster, More Secure and Dramatically Less Complex Enterprise Communications

Session Border Control as a Service As businesses are increasingly moving to cloud-based unified communications (UC) for improved collaboration and productivity, they must also ensure ...
Kayla Matthews

5 Cybersecurity Trends Defining 2019

5 Cybersecurity Trends The cybersecurity industry continually evolves to meet changing needs and adopt new technologies. As such, it's appropriate to take a look at ...
Employees Digital

A Winning Data Strategy Series Part 1: Off to a Faulty Start

A Winning Data Strategy Series This is the first piece of a 5-part series on plugging the obvious but overlooked gaps in achieving digital success ...
Gilad David Maayan

Leveraging Managed Kubernetes to Improve Your Operations

Leveraging Managed Kubernetes Kubernetes simplifies container orchestration, but sometimes companies are struggling with Kubernetes adoption. Many organizations do not have the required expertise to configure ...