The newest acronym striking fear into the hearts of qualifying businesses: CCPA.
Effective January 1, 2020, the California Consumer Privacy Act provides CA residents with more control over how their personal data is used and distributed and requires qualifying companies to maintain more stringent guidelines on how personal data is collected and processed. Overall, the CCPA gives California residents the right to request information about their personal data that a company is collecting, how the information will be utilized, and with whom the information will be shared. The law also requires qualifying companies to provide and delete all personal information of a consumer at their request. Lastly, CCPA allows California consumers to opt-out of the sale of their information to third-parties moving forward.
CCPA vs. GDPR and Why You Still Have Something to Worry About
While being compliant with GDPR is helpful when preparing for CCPA, there are some distinct differences to be aware of:
- Opt-out vs Opt-in: CCPA is an “Opt-out’ regulation which means consumers have the right to opt-out of the sale of their data to third-parties. GDPR is an “opt-in” regulation where consumers have to actively “opt-in” to allowing companies to sell their information to third-parties.
- Delete vs Correct: CCPA allows consumers the right to access and delete their personal data. GDPR not only allows data deletion but also allows consumers to correct their personal data.
- Uncapped fines vs capped fines: Fines with GDPR are capped at either 20M Euros or 4% of global annual revenue. There is no such cap for CCPA with penalties for noncompliance ranging from $2,500 for each unintentional violation to $7,500 for each intentional violation.
There are additional underlying differences that ultimately make it challenging to align GDPR compliant companies with CCPA, creating additional barriers, and dollars spent, to bring companies up to speed.
Who is Required to be Compliant with CCPA?
If you are a for-profit company doing business in California, you are required to be compliant with CCPA if you:
- Have a minimum of $25M in annual gross revenues.
- 50% of annual revenues are generated from data sales.
- Have obtained, bought, sold, and/or shared personal data on 50,000+ California residents, households, or devices for commercial purposes. For example, if cookies are placed on 50k or more website visitors from California, then the company is required to be in compliance with CCPA.
When Does the CCPA Go into Effect?
Although effective starting January 1, 2020, the law won’t be enforced until July 1, 2020, which gives noncompliant businesses more time to analyze and determine the impact on their companies. Some words of caution, the law does contain a lookback window for any personal data collected on CA residents since January 1, 2019, which means that personal information from 2019 could be requested by California consumers, making the process of becoming compliant more challenging.
The Risks of Noncompliance are Many
There are a myriad of ways a company can be determined to be noncompliant under CCPA.
- Failure to comply with new disclosure obligations
If a company is collecting personal information, there must be a disclosure which states the consumer’s rights under CCPA, what category of information is being collected, how the information will be used, and what personal information has been shared with third-parties in the last year.
- Not maintaining processes to comply with consumer requests
All companies within the scope of the CCPA are required to maintain a process which allows for consumers to view, delete and opt-out of the sale of their personal information collected by the company since January 1, 2019. The company is also required to have a verification process to validate the consumer making the data request.
- Failing to place proper opt-out methods on the company’s homepage
Noticeable links are required on the company homepage which state “Do Not Sell My Personal Information”. This link allows the consumer to actively opt-out of the sale of their personal data.
- Data breach due to failure to maintain reasonable security measures on personal information
While CCPA does not provide specific requirements on data breaches, it does allow individual and class action suits for breaches of personal information that could have been avoided with reasonable security measures. These damages could amount to the greater of either $750/consumer per incident or the amount of actual damages caused by the breach. This could potentially add up to a large liability for companies already working to recover from a devastating breach.
This extensive list of compliance breaches further emphasizes the complexity of the new law and the dangers of violating it.
contact a member of Withum’s Advisory Team.
But What About My Adtech Company?
Overall, if your company is in the scope of the CCPA and you are collecting consumer data for resale, then you can continue the sales or sharing of data as long as the consumer has not opted out. Should the consumer request that their data be deleted, you will need to ensure not only that the data is removed internally, but also deleted from data partners, which can cause a huge mess if records are not clearly tagged and maintained or if they are not properly tracked when sold between parties.
If you utilize programmatic advertising, the determination on how to treat the consumer’s personal data if they are to opt-out is not explicitly clear. However, since programmatic advertising utilizes personal data to increase the value of an impression, bids themselves would appear to fall under the scope of CCPA. Which could mean that if the consumer has chosen to opt-out then you will be required to remove their personal data from future ad calls.
Additionally, things aren’t black and white if your company is required to be compliant with CCPA and are not reselling data. Although nothing may change with regards to your business process since you aren’t reselling data, a consumer will still have the right to request and delete their personal data and, should there be a data breach that stems from a lack of reasonable data security measures, that consumer will also have the right to sue for data misuse. There are also numerous areas under the law that require judgement in interpretation. For instance, if you as an adtech company collect first party data to enhance user experience, it’s possible that your collection would fall under the “business purpose” category and your customers would not be able to opt out. But if a customer opts out and you’ve shared their personal information with data partners, you’ll likely have to pull their data from the partner’s site.
Certainly Not The Last…
The California law appears to be the first of many future personal data privacy regulations in the United States. States including Nevada, Maine, Massachusetts, Maryland and New York have either passed their own privacy laws, which take effect later in 2020, or have privacy legislation that is currently being proposed. There is even a federal bill currently being introduced that is fashioned after the CCPA. These strict standards are changing, and will continue to change, the way we’re doing business in the US.
What Can Withum do to Help?
Becoming CCPA Compliant is all about having the right tools and information to inform your internal processes and procedures. Withum’s cybersecurity services team has vast experience in providing appropriate due diligence and remediating businesses suffering from some of the largest and most highly publicized data breaches and operations to date, across all industries. We have the “know-how” on what auditors look for, a diverse group of individuals from many educational and industry backgrounds and the technical expertise to assess your current infrastructure, inform your decision-making and ensure your business is on track to responding to customer requests and avoiding violations.
From reviewing your business website and ensuring it is CCPA Compliant, e.g. cookies, opt-out(s), contact information, internal processes and procedures on handling incoming requests to acting as your vDPO (Virtual Data Privacy Officer) and ensuring end-to-end data security and prompt resolution of requests, Withum’s cybersecurity team is here to support your business while you focus on the day-to-day.
When Should You Reach Out to Your Attorney for Further Guidance?
Does your company fall under the scope of CCPA? If so, Withum can connect you with legal advisors who can assist your business with ensuring you are compliant with the CCPA and other future privacy regulations.
Cyber and Information Security Services