Are You Ready for the California Consumer Privacy Act?
California has introduced its own version of the General Data Protection Regulation (GDPR) called the California Consumer Privacy Act (CCPA). Here’s how you can prepare your business to comply.
By Rob Watts
Some of the most well-known technology companies are headquartered in California, which on June 28, 2018 passed the California Consumer Privacy Act of 2018 (CCPA). The CCPA goes into effect January 1, 2020, and it’s expected to affect businesses throughout California, the United States and, in fact, the whole world. The CCPA will impact the way that businesses can handle customer data, and it’s considered by many to be the strictest data protection law in US history.
If you’re experiencing déjà vu, you’re not alone. Back in May, the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect. The GDPR has been a hot topic here at PCMag. While the law was made across the Atlantic, the truth is, it’s made a mark on businesses worldwide because it applies to all EU citizens regardless of where they live. Much like the GDPR, the impact of the new CCPA will have far-reaching implications beyond the scope of California. We talked to a few experts to learn more about the CCPA and some of its expected implications.
The CCPA and You: An Introduction
The CCPA establishes a consumer’s right to request that businesses disclose what sort of data is gathered about them. Unless you’re using a tool such as a virtual private network (VPN), it’s pretty much a certainty that countless businesses are gathering information about you whenever you’re online. To say this sort of transparency that the CCPA will bring is a big deal would be an understatement.
John Tsopanis is a Privacy Product Manager at 1touch.io, a company that helps businesses understand the personal data they handle. Tsopanis has spent the past few years doing GDPR consulting for companies and is gearing up to do the same with the CCPA. Tsopanis explains the CCPA in basic terms.
“On Jan. 1, 2020, a California resident will have legal right to ask any big company in America, ‘Are you processing any of my information?’” Tsopanis said. “Within 45 days, that company will be obligated to reply with a report detailing the last 12 months. It will have to show what specific categories of personal information they have on that individual, who they are sharing it with, and what are the reasons for processing it. They need to give that information to California residents — all 40 million of them — within the timeframe.”
Differences Between GDPR and CCPA
There are some substantial differences between what the GDPR does and what the CCPA covers. For starters, the CCPA will use an opt-out basis for consent whereas the GDPR uses an opt-in basis. This essentially means that users will have to actively reach out to companies to find out about what sort of information is being used. Additionally, the GDPR applies to any organization that holds personal data on EU citizens.
The CCPA, on the other hand, only applies to for-profit companies that process data on California residents. The organization must either do at least $24 million in annual revenue, hold the data of 50,000 people, or do at least half of their revenue in the sale of personal data. So, if you own a small boutique store and the extent of your online operations is a webpage that lists your store hours and address, then you won’t have to worry too much about the CCPA. But if you run an e-commerce website through a turnkey provider or maintain your own e-tail website through a general web hosting service, then you’ll want to pay attention.
Courtney Bowman is an Associate in the litigation department at international law firm Proskauer Rose LLP. Bowman explains why that CCPA will require companies to think carefully about their data usage far beyond 2020. “That 12 months requirement means that companies are going to have to look at their privacy policy at least once a year and try to figure out whether anything’s changed,” she said.
“They’re going to have to continually monitor what data they’re selling or disclosing to third parties so they can adjust their privacy policies accordingly,” Bowman continued. “The law also gives consumers a right to access or delete their personal information in some situations, and businesses will need to ensure that they can actually effectuate that right expeditiously. That’s going to require companies to engage in data mapping to figure out where their data is located, and also to liaise with their IT departments to figure out what they need to do to make sure that they can fulfill their responsibilities under the act.”
The CCPA’s Wide Impact
In the months leading up to the GDPR, a running theme in our coverage was that, in our globalized world, the GDPR would affect businesses beyond Europe. After all, most large companies do business abroad and will have to change their online operations globally to comply with the law. When we spoke with Tsopanis, however, he said American companies still need to take special notice of the CCPA.
“When it comes to American companies, the GDPR was mainly focused on major organizations that were operating across the channels. With the [CCPA], the criteria for the companies that qualify is much larger by a massive order of magnitude,” said Tsopanis. “There are 40 million people in California; 50,000 isn’t even 0.1 percent of the population. I think the scale of exposure for American companies is significantly higher than was previously under the GDPR.”
Tsopanis offers the example of fast food giant Wendy’s. “Wendy’s is the 999th largest company on the Fortune 1000 and has an annual revenue of $1.2 billion — 48 times higher than the threshold for applicability under this law. At the very least, there are 1,000 billion-dollar companies in America [that] need to comply with this law, and significant orders of magnitude greater than that in the $25-million category.”
We may not consider Wendy’s a tech company but they gather their fair share of user information. They are also a perfect example of how companies of all kinds will be affected by the CCPA. When you visit their website, order food via their point-of-sale (POS) systems, or even just use the Wi-Fi at your local Wendy’s restaurant, the company is collecting your information, and in California, at least, that’ll all be subject to CCPA regulation. If a company as “small” as Wendy’s is collecting so much data on users, then it’s downright scary to think of what larger corporations are collecting. Simply put, the CCPA will have enormous implications.
Important Data Discoveries
One of the most important effects of the CCPA is that Americans will finally be able to uncover the vast amounts of data buying and data selling that companies have been doing. “This bill is going to allow the American people to finally uncover the mass web of data buying and selling organizations [that] have previously been completely anonymous. This is going to lead to a dramatic cultural shift in the way data privacy is perceived,and, ultimately at some point, lead to harmonized federal privacy law,” Tsopanis said.
When the Cambridge Analytica scandal broke, it got the attention of millions of people, whether they were technologists or not. It made people very concerned about who’s collecting their information and what is done with it, and the CCPA is, in part, a response to that. Tsopanis argues that the resulting revelations will be massive.
“For every journalist in the country, this is a godsend. California is a $2.7 trillion economy — the fifth largest in the world — and it is built on Big Data. Every access request from every Fortune 1000 company is going to reveal a whole network of data buying and selling companies that are going to come under intense scrutiny,” Tsopanis explained. “We don’t know exactly what we’ll find when folks start getting their data reports, but there are sure to be some interesting revelations.”
Just 18 Months to Prepare
If we learned anything from GDPR, it’s that companies need to plan as early as possible to be ready for the deadline. With that in mind, American companies don’t have much time at all. The GDPR was adopted in April 2016, and companies had a little over two full years to adapt and comply with the regulation. Since the CCPA goes into effect right at the beginning of 2020, this means larger companies now have just 18 months to get ready.
That deadline is likely to make even the most seasoned tech professional stressed out. “The amount of work that needs to be done in 18 months is greater than was necessary for the GDPR, with less time to do it, and with American companies coming from a lower level of privacy maturity than Europe,” warns Tsopanis.
To comply, the security veteran recommends companies take proper care in developing their processes. “In the next six months, what organizations need to do is to develop some sort of method of tracking personal information across the organization,” Tsopanis said. “They need a way to easily access what personal information was sent to which third party and at what time, and then they need to be able to track that over the 12 months up to implementation, and be ready to provide that information upon request when the regulation comes into play.
“It is essentially going to require almost all major US companies conduct major data identification activities, and be able to automate and respond to data subject access requests from California residents on the enforcement date,” Tsopanis continued. “It’s also important to note that, when the law passes in 2020, they need to be able to provide a report on user information in the preceding 12 months. This effectively means that businesses need to be tracking that data on January 1, 2019.”
From a legal perspective, Bowman says there could be some changes made before the deadline. “We do expect that we’re going to see some revisions to the law before it goes into effect,” she said. “Because it was drafted fairly quickly, even after it goes into effect there may be some gray areas that remain outstanding in terms of our understanding of them. After all, the GDPR took years to draft, and there are still multiple parts of the GDPR that are ambiguous.”
Read more: “How GDPR Will Impact the AI Industry”
Originally published at www.pcmag.com.
