The California Consumer Privacy Act (CCPA) introduces sweeping new privacy regulations. Even though the law applies only to California, it will impact companies nationwide. The law applies to companies that do business in the state or collect data from California residents.
Although the regulation becomes effective on Jan. 1, 2020, only 8% of US businesses said they are ready for it, according to PossibleNow. About a third said they are not prepared for it, but expect to be by Jan. 1. Almost half (45%) said they’re preparing but won’t be ready by that date. The rest said they’re not sure or will wait to see if fines are issued.
The law applies to companies with annual gross revenues of $25 million or more, those that buy or sell more than 50,000 individuals’ data, and those that make more than half their annual revenues from selling customer data.
Potentially Severe Penalties
Companies can be fined $2,500 for each record of unintentional violation and $7,500 for each record of intentional violation. Penalties could add up to harsh fines for companies working with hundreds, thousands or even millions of data records.
Similar to Europe’s General Data Protection Regulation (GDPR), the law grants state consumers a right to know about and control their personal information that companies collect from them. Californians will have the right to:
- Know what personal data is being collected
- Request details on how their data is being processed
- Access their personal data
- Request to have their personal data deleted
- Know whether their personal data is sold or disclosed to third parties
- Decline or opt-out of the sale of their personal data.
“CCPA compliance is a real financial and resource strain for many companies,” says Lauren Fisher, eMarketer principal analyst. “But like we’re seeing with GDPR, I think we’ll also see that companies that fail to make the investment now are going to have to put only more work and effort in down the line.”
Meeting the California rules should be easier for companies that already meet the GDPR, but meeting the GDPR will not make them compliant for the CCPA, or vice versa, cautions Len Shneyder, vice president of industry relations at Twilio SendGrid, in Marketing Land.
Companies fear a patchwork of 50 different state regulations in addition to international standards. Bills are already moving through other state legislatures. Compliance in one state doesn’t guarantee compliance in another. To handle multiple regulations in different jurisdictions, focus of the most stringent first then work back from there, Shneyder advises.
More Recommendations for Marketers
- Collect only data you need and can use rather than vacuuming up as much data as possible. That minimizes exposure in the event of a breach or other security event.
- Conduct an internal review to determine what personal information your business is collecting and how it’s used
- Delete consumer information you don’t need anymore
- Ensure your organization can respond to consumer requests to access or delete their data.
- Train your staff to understand the regulation and their responsibilities.
- Audit third-party service providers that receive consumer data from your business to make sure they’re in compliance.
- Prepare plans for handling a data breach.
Bottom Line: Ignoring the California Consumer Privacy Act (CCPA) is not an option for nationwide companies. While it’s similar to the General Data Protection Regulation, complying with that law does not mean companies meet the California regulation.
William J. Comcowich founded and served as CEO of CyberAlert LLC, the predecessor of Glean.info. He is currently serving as Interim CEO and member of the Board of Directors. Glean.info provides customized media monitoring, media measurement and analytics solutions across all types of traditional and social media.
