The California Consumer Protection Act will go into effect on the 1st of January 2020. Interestingly, it’s aimed solely at for-profit businesses. This is a key difference between the CCPA and the GDPR; there are a lot of those, read about them here.
However if you are running a business anywhere in the world this could affect you. It’s not about where the business is based, but where the consumers are. If any of your users live in California, this could affect you. So unless you plan on blocking the entire state of California from using your services, you should pay attention to this regulation.
To reiterate: the CCPA is NOT just for businesses based in California.
Before you read any further, just answer these three yes or no questions:
If the answer to any of those is yes, the CCPA will affect you — so what else do you need to know?
In its current state, the CCPA is not so much a set of rules for companies, but a new set of rights for consumers. So essentially, businesses now need to be prepared to facilitate these rights being exercised. Here is what they are:
This has been lifted straight from their website — the regulation is aimed at businesses but the site is written completely for consumers. This is important, because consumers should know what their rights are.
Where this leaves businesses: learn the rights and be prepared. To summarise the most important bits, as a business you must be prepared to:
Interestingly, the CCPA does not limit ‘personal information’ to something that may identify a person — but also a device. This is a very apt move, especially when you consider the growing number of devices used in a household that do not belong to one person. E.g. a smart TV, an Alexa, or one of these Facebook Portals which are a privacy nightmare.
Pulled straight from the regulation document itself, it lists the following as personal information:
The usual suspects make an appearance here: geolocation, email address, employment information. But look who else is included: biometric data, psychometric data and… thermal information.
This is extremely comprehensive; it takes into account lots of different kinds of data that can be gathered in a variety of ways. And, importantly, in number 11 they’ve even included information you can infer from any other data you may have gathered.
This means that the CCPA is most definitely aiming to zero-in on companies that have resources to aggregate data in specific ways — in other words, ad networks such as Facebook and Google who heavily engage in behavioural advertising.
CCPA enforcement can come in two ways: a business could get sued by Californian citizens OR smacked with a fine from the attorney general.
The attorney general fines are imposed per violation. In this case, a violation is the failure to fulfil one request, for one person or device. So, the failure to disclose to one customer all the data you collect about them = one violation.
💵 How much you could be fined depends on the situation, and is up to the attorney general. But, there are limits:
So say if you have 5,000 active users, but you forget to be transparent about the categories of their data that you sell to other companies. You could get fined $12.5M. That’s a lot of money, and not really that many active users.
Wilful violations could of course cost you a lot more, so if a Californian user asks you to delete all data you have about them, or stop selling it to others, it’s definitely worth you honouring the request and finding a way of proving that you’ve done so.
In addition to this, you could also be sued for data breaches. The third consumer right listed above is the right to have your information stored securely. So as a business, you need to do what you can to safeguard against breach. A resident of California could sue you up to $1000 per data point breached. A data point could be an email address, for example.
Let’s apply that to the recent data breach at Marriott hotels: 339M guests had their personal data stolen — among that data was passport number, credit card number, and date of birth. That’s three data points per person. If just 500k of those guests were Californian, under CCPA Marriott could be sued up to $1.5 billion.
Just for perspective, the GDPR fine for the Marriott breach was less than £100m. So the CCPA has the potential to cost businesses a lot more money if they fail, or refuse, to comply.
Currently quite hard to say, because this is quite a strict regulation, but only on a narrow set of companies. It seems that who it is likely to effect is medium to large tech companies, and data brokers.
What is quite clear is that the CCPA is just the start of things to come in the US — this is just one state. Others will follow suit (both Maine and Nevada have recently passed laws), and that could pave the way to a much needed federal privacy regulation.