The California Consumer Privacy Act (CCPA) went into full effect on January 1, 2020 and while the majority of companies understand why the Act is going into place, many aren’t fully aware of the bigger implications – how businesses will be affected holistically, how to prepare, and what may be coming down the pipeline in regards to new data privacy regulations.
The brass tacks, guidelines and rules to follow
Under the CCPA, California consumers have been given broad new privacy rights and have the right to ask that any business disclose to them what personal information they hold about them or their household. They can also direct a business not to sell their personal information, and request that it delete all collected data.
Under the CCPA, businesses that do business in California, irrespective of whether they are based California, and that process data about California consumers, must be more transparent about how they manage, store and use their Californian customer’s data. With a few exceptions, a business must disclose, upon request, the specific personal information it has collected about any individual Californian consumer and if that data has been sold, then also provide additional details.
How to prepare properly
Considering that many U.S. and even worldwide businesses ship products to California, or have online properties (e.g., websites) that are available to Californians, a significant number of businesses will need to make timely preparations and ensure ongoing compliance processes are in place. Under the law, Californian consumers have a new private right of action for data breaches with legal penalties for non-compliance ranging up to $750 per breach (or actual damages if greater). However, beginning July 1, 2020, the legal penalties for a data breach could increase significantly (to a maximum penalty of $7,500 per breach) if the attorney general is involved in pursuing the legal action.
In order to prepare for this new legislation, businesses must:
- Determine whether or not the CCPA applies because they meet one or more of the criteria below:
- Has global annual gross revenue in excess of $25,000,000; or
- Alone or in combination with another business, buys or sells the personal information of 50,000 or more consumers, households or devices; or
- Derives 50% or more of annual revenue from selling consumers’ personal information
If the CCPA does apply:
- Ensure it is ready for the CCPA’s “look-back” period, which requires them to be able to disclose personal information for 12 months prior to the date of any disclosure request, and
- Train employees on what the CCPA is and how any internal processes may change, and
- Provide a toll-free service line for incoming CCPA requests
CCPA’s immediate effects for businesses and consumers
Many companies today have created a lucrative business from their users’ personal information. In fact, many tech companies allow advertisers to target users based on demographics, search history and preferences. And, for the most part, companies could largely do what they pleased with consumer data – until now.
While compliance with this legislation may feel daunting, amendments have been made to the law to make certain aspects easier. For example, HR information and personal information in the context of B2B communications have been exempted from the law until 2021.
Impact of this regulation on a larger scale
While there are state-specific notification laws surrounding how companies need to respond in the event of a data breach, Congress has yet to pass federal legislation addressing how companies are to gather and use consumer data.
In the United States, state-level momentum for comprehensive privacy bills is at an all-time high. Soon after the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers within their own borders. Nevada and Maine have already passed their own laws while New York, Hawaii, Massachusetts and Washingtonare all considering their own laws with varying degrees of austerity and imminence.
Generally, businesses across the U.S. should use California’s new legislation to get a head-start on preparing for any new regulation that might be coming to their home state or at a federal level. When enacted and incorporated correctly, this type of regulation has the potential to have a positive influence on both consumers and corporations alike.
Learn more about the CCPA and access useful resources that can help businesses adapt and become compliant in time for the new legislation here: https://sage.com/en-us/ccpa.
Adam Prince, Vice President Of Product Management, Compliance, Brexit and Migration at Sage. Adam leads the global Sage product compliance team where, in addition to supporting Sage product teams to build the features that accountants and businesses need to enable customers to meet their compliance obligations, he tracks changes in legislation, collaborates with national tax authorities and advocates for business efficiency, security and automation.