Earlier this year, California passed the California Consumer Privacy Act of 2018, or CCPA for short. Beginning in January 2020, companies will be required to comply with this new law, which places new restrictions on how companies handle personal data. The CCPA will require companies to revisit and potentially amend their data monetization models, provide rights to access and deleting data, in addition to updating privacy notices that outline their data processing procedures.
Dattell is a data architecture and machine learning consulting company that provides strategy, engineering, and perspective about data collection, data storage, automation, data security, machine learning and data visualizations.
In this blog post we will review the new law and outline why it is important for technology teams to get familiar with it. In Part 2 we discuss how to take action.*
If you are short on time, move to the TLDR at the bottom.
What Data is Protected?
In the new California Consumer Privacy Act, personal information is defined as “any information that … relates to … a particular consumer or household.” As Lothar Determann pointed out in his article on IAPP.org, “For example, annual water or energy consumption of a household, a particular employee’s job description, an Internet Protocol address, web browsing history and “purchasing tendencies” will be regulated as personal information, even if no names are associated with it.”
We’re Not Based in California, Does The Law Affect my Company?
Yes, this new law will affect your company if it collects personal information from California residents and if it or its subsidiary or parent company meets any of the following conditions:
- Receive personal information for ≥50,000 California residents, households, or devices annually. The definition for personal information is broad as stated above, and thus information such as IP addresses can be included. A blogger, retailer, or other small business could easily exceed this threshold.
- The sale of California residents’ personal information accounts for ≥50% of annual revenue. In the new law the sale of data is broadly defined to include any disclosure of data for “monetary or other valuable consideration.”
- Gross annual revenues are ≥$25 million. Whether this revenue threshold refers to global revenue or specific to California revenue is not clearly stated in the new law.
What do Companies Need to do to Comply With the California Consumer Privacy Act?
The following are some of the broad steps companies need to take to comply with the new law, but does not serve as a conclusive list.*
- Provide California resident customers or users with a clear option to opt out of the sale of their personal information.
- Provide protocols for users to request data. The minimum requirement is to provide a toll free number for users to call.
- Update privacy policies to include all of the information required under the new law, which includes an outline of the data rights for California residents.
- Capture users’ ages to not violate age related portions of the new law. For instance, parental consent could be required for California residents under 13 years of age.
- Create data maps for all of the personal information received for California residents so that your company can provide data access and deletion at the request of users.
Several of the new compliance requirements are focused on your company’s legal team, including rewriting the privacy policies. However, the majority of these new compliance items lie squarely on the technology team’s shoulders. Here’s a quick quiz to see if your technology team is close to being ready for the new law:
If you answered “No” to any of the above, then it’s time to start making plans for how to remedy those missing compliance requirements. And even if you answered “Yes” to all of the above, there is still another glaring issue: Civil class action suits for data breaches.
What Are The Potential Economic Damages for Data Breaches?
Civil class action suits in response to data breaches or data theft of sensitive information (such as social security numbers or bank accounts) can include either actual damages or damages in the amount ranging from $100 to $750 per consumer per incident.
If unauthorized parties gain access to a database containing sensitive information for 50,000 California residents, this could include damages of a minimum of $5,000,000.
For instance, if we look at the MyFitnessPal breach from the spring of 2018, 150 million users’ information was compromised. If 12% of the users were Californians (12% of the US population resides there), then that would mean 18 million California residents had their personal data compromised. If that event occurred under this new law, claims in the range of $1.8 billion to $13.5 billion would be possible.
Now that we have your attention, in Part 2 we describe three ways your technology team can work to protect your company before this new law takes effect on January 1, 2020.
TLDR, the California Consumer Privacy Act (CCPA) is going into effect on January 1, 2020. Many companies will need to rethink how they collect, store, and provide access to user data. At Dattell we are optimists, and believe that these new requirements can be an opportunity for companies to improve data architecture (especially security), and move to more efficient systems.
* DISCLAIMER – The information provided in this post should serve solely as an overview for readers to understand why certain technology optimizations could be helpful for their companies, and it should not serve in any way as or take the place of legal advice. Companies should consult a legal professional and the law directly for more information.