Governor Jerry Brown last month signed into law the California Consumer Privacy Act. The CCPA is the state’s response to a growing concern that consumers need stronger means to protect their personal information.
The issue came to a head in part due to recent breaches that exposed the personal data of millions of American consumers. However, the CCPA also addresses other privacy incidents that have affected millions of people in California and beyond.
The new law, which is viewed as one of the most far-reaching consumer protection privacy laws in the United States, will go into effect on Jan. 1, 2020.
At that time, businesses will have to comply with a range of new requirements. The CCPA’s end goal is to ensure that consumers enjoy “choice and transparency” when it comes to their personal information. For companies based in California, or for those that do business with clients or customers in California, this could be a truly big deal — and it isn’t something any business should ignore.
However, CCPA isn’t the only new privacy law that online businesses –big or small — need to take notice of at this time. The European Union’s General Data Protection Regulations went into effect this spring, and even with two years of warning, many companies were caught off guard. Many companies geo-blocked their content from IP addresses in Europe as a response to the new regulations.
EU lawmakers approved the GDPR more than two years ago to replace the previous Data Protection Directive in the 28-nation bloc. The goal of the GDPR was to give consumers greater control of personal data collected by companies online. It applies not only to organizations that are located within the EU but also to companies outside the region if they offer goods or services in the EU or have any type of digital footprint with consumers there.
CCPA has been the center of controversy, as its many critics have contended that it was a hastily passed law that came about only as part of a deal brokered by the state legislature and Brown as a way to avert what could have been an even more costly fight over a proposed ballot initiative.
That proposal, which was backed by the state’s privacy activists, could have resulted in an even more stringent measure appearing before California voters in November.
CCPA grants residents in California the following rights: 1)to know what personal information is being collected about them; 2)to know whether their personal information is sold or otherwise disclosed and to whom; 3) to say no to the sale of their personal information; 4) to access their personal information and request deletion under certain circumstances; and 5) to receive equal service and price, even if they exercise their privacy rights.
At this point, it is still unclear as to how CCPA will actually be enforced, but those violating the law could face fines ranging from US$100 to $750 per consumer per incident. More importantly, CCPA also empowers the state’s attorney general to pursue cases against businesses for damages of up to $7,500 per instance for “intentional violations.”
“CCPA deals with the data of California consumers,” said Laura Jehl, a partner with BakerHostetler and co-leader of the firm’s General Data Protection Regulation initiative.
“Not that many businesses online in the United States don’t have any California customers,” she told the E-Commerce Times. “If you offer goods and services and don’t comply with the law, you could face a fine. In California, it is also up to the discretion of the state’s AG to determine whether to go after violators.”
GDPR and American Companies
American companies — especially smaller firms — may think they won’t be affected by the EU’s GDPR, but that could be as far-reaching, or even more so, than CCPA.
“U.S. small businesses may or may not need to address GDPR compliance, as GDPR applies to any EU business and companies that process the personal data of EU citizens,” said Greg Sterling, vice president of strategy and insights at the Local Search Association.
“If U.S. small businesses are involved in the collection, storage or usage of personal data of EU citizens, they will need to comply, but if they have no dealings with EU citizens, they do not,” he told the E-Commerce Times.
Yet “GDPR is already relevant to American businesses that provide services through the Internet, as they often have international customer bases and provide services to EU countries,” said Erik Ashby, principal program manager at Helpshift, a San Francisco-based customer support technology platform.
“If EU citizen data is involved, businesses must have opt-in consent for storage and use of that data — consent is mostly not required for legal uses of pre-existing data,” added LSA’s Sterling. “In asking for consent, businesses must inform people of the specific, intended data uses, while data owners have a right to revoke consent and withdraw their data at any time.”
Devil in the Details
GDPR is very specific in terms of its rules as well.
“Consent for one purpose can’t be used to justify another, unrelated purpose,” explained Sterling.
“Categories of ‘sensitive’ data — e.g., children — carry additional requirements,” he noted. “Large-scale data processors, which most small businesses are not, may require the hiring of a data protection officer as well.”
Here is where the devil could truly be in the details, as data must be maintained in a secure and appropriate way for its intended use, and it should not be accessible to unauthorized parties. Further, data breaches must be communicated to victims — and potentially authorities — in a timely way.
“There must also be procedures in place to enable the owners of the personal data to access or request that it be deleted,” Sterling pointed out.
“As we have seen with CCPA, we expect that other governing bodies will follow the precedent set by the EU with GDPR,” Helpshift’s Ashby told the E-Commerce Times. “Most importantly, GDPR provides a set of basic guidelines that are fundamental to protecting customers, regardless of where they are.”
Businesses still have time to prepare for CCPA, but companies that are not yet compliant with the EU’s GDPR face serious fines of up to 4 percent of annual global revenue or 20 million euros (US$24.6 million), whichever is larger.
“This is a much stricter law, as GDPR makes very few exceptions when you process data, and it doesn’t matter if you are a small business or even a not-for-profit,” warned BakerHostetler’s Jehl.
“GDPR is about protecting the data of EU citizens, and whether you have offices in the EU or not, you still need to be compliant,” she added. “An example could be a small hotel chain that has had EU customers in the past and decides to market to them via email or online — and when you do so, you need to be compliant in how you use their personal data.”
Fine Time in the EU
Firms that are found in violation of the law could face those rather hefty fines.
“What we have seen is that EU regulators have indicated that they won’t enforce the full extent of the fines in the first couple of months, and that is a good sign for businesses that aren’t yet compliant,” said Jehl. “The good news for smaller firms is that they aren’t likely to be the first in the crosshairs.”
However, the EU isn’t likely to ignore violators for long, especially major international firms. Larger tech companies could be the first in its sights, as it has a long track record of imposing large fines on big businesses.
Between 2013 and 2017, the European Commission imposed fines totaling 8.472 billion euros ($9.54 billion). Those numbers don’t include the 1.06 billion euro fine imposed on Intel in May 2009 for abusing its market dominance on central processing units, and the 900 million euro fine imposed on Microsoft in February 2008 for”unreasonable” royalty fees.
“They may start with the bigger tech companies, but they will bring some action on smaller companies or outliers as well,” added Jehl.”They have to defend it, or they risk losing the power of the hammer.”
CCPA may not go into effect for another year and a half, but American companies may need to ensure they’re prepared for it.
“Although California’s law is more limited than the GDPR in many respects, its implications will likely be felt more broadly by U.S.businesses — including mid-sized firms that use third-party data but do not operate in Europe,” warned Ryan Radia, research fellow and regulatory counsel for the Competitive Enterprise Institute.
“California’s law does include express carve-outs for small businesses, however,” he told the E-Commerce Times.
“Although most large technology companies that interact directly with users now provide a mechanism for individuals to view or delete their information, thousands of companies that will likely be subject to the new California law have yet to provide for such a mechanism,” he noted.
“There’s likely to be nontrivial compliance costs for many of these companies, and California is also better positioned to actually enforce its law against U.S. companies, whereas the EU may encounter some challenges if it seeks to enforce the GDPR against U.S. companies that have no physical presence or assets in Europe,” explained Radia.
As it now stands, the fines that California could impose are on the smaller side. However, apart from what the AG could do with more egregious violators of the law, there is a concern that CCPA could have an impact on companies of all sizes.
“We do see a scenario where privacy zealots would push to go after small companies because the law would allow it,” said Jehl. “However, the enforcement mechanisms are rather unusual, so it is hard to tell how this will eventually play out.”
That said, CCPA “will be the strictest privacy regulation in the U.S., and it may wind up becoming a national standard as a practical matter,” said LSA’s Sterling.
“It’s chiefly aimed at data brokers and large processors of data such as Google, Facebook, and other online advertising and marketing companies,” he noted. “Any company doing business in California or using California citizens’ data will have to comply.”