Businesses have learned how to profit from using their customers’ data. By learning ever more about both the idiosyncrasies of individual customers and broad demographic groups, these businesses have improved their marketing and customer satisfaction. Until recently, they faced few legal restrictions on how much data they collect or how they profit from it.
This lax regulatory environment is changing. Alarmed by data breaches and the ways their personal data is bought and sold, consumers are increasingly demanding transparency and control of their data.
The first major legislative response to this concern was the General Data Protection Regulation (GDPR). The European Union ratified the law in 2016. Every company, regardless of location, that holds the data of an EU resident is governed by the GDPR.
The California Consumer Privacy Act (CCPA) is the most significant data protection legislation in the U.S. Many business forecasters believe the CCPA will prompt a sustained movement to mandate stricter privacy regulations across the country.
Every company, regardless of location, that has annual revenue greater than $25 million and does business with California residents must comply with CCPA. Companies of any size that have personal data on at least 50,000 people, or that collect more than half of their revenue from sales of consumer data, must comply if they do business in California. The law applies to all companies with data on California residents, regardless of the company’s actual location.
Penalties for failing to comply with the CCPA
The CCPA took effect January 1, 2020, though companies should’ve had data tracking systems in place before then.
Under the CCPA, consumers have the right to request all data from the previous 12 months, and companies must comply within 45 days or risk a fine up to $7,500 per record. The law allows consumers to sue companies for misuse of their data, which creates a novel new financial risk for companies.
The CCPA specifies that companies must have a visible footer on their websites detailing a consumer’s right to opt out of data sharing. Consumers can sue if the footer is missing, if they cannot find out how their information is being collected, or if they are denied copies of their data.
Data covered by the CCPA
The CCPA defines personal information as
- Identifying information, such as real name, postal address, unique personal identifier, IP address, email address, account name, Social Security number, passport number, driver’s license number, or other similar identifiers
- Commercial information, including records of personal property, products, or services purchased; purchases considered; or other purchasing histories
- Browsing history, search history, and information regarding a consumer’s interaction with a website or advertisement
- Geolocation data
- Education information
- Inferences drawn from this information, such as personal characteristics, predispositions, intelligence, aptitude, etc.
Key components of the CCPA
First, companies need to meet the right-to-know standard with end-to-end transparency for consumers. Companies must inform consumers when their data is collected, what data is collected, how they will use that data, and if they will sell that data.
To meet CCPA requirements, companies must
- Provide relevant notifications on their website, mobile apps, and any paper documents used to gather consumer data
- Provide notifications that are accessible to all individuals, including those with disabilities
- Make notifications visible before data is collected
- Provide a “Do Not Sell My Info” or “Do Not Sell My Information” link so customers can opt out of the sale of their personal data
California is creating an opt-out button and logo that will make it easy for companies to provide this option to consumers. Companies can use these to link to official consumer privacy rules. Businesses must also support the CCPA’s requirements to opt out of data sharing. To comply, they must
- Provide opt-out language in addition to the “Do Not Sell My Info” link to make it clear the company collects and sells consumer data
- Provide an opt-out option in both online and offline communications
- Document requests to opt out and maintain those records
Last, consumers have a right to delete their personal information. When a consumer submits a request to delete their data, the company must first verify the consumer’s identity, then notify the consumer that their request has been received and is being processed.
The company must respond within 45 days after verification to requests to delete or requests to know. The 45-day response time can be extended but only with appropriate notice and explanation. To comply with a valid request from a verified individual, a company must
- Permanently erase data on existing systems, de-identifying the information or aggregating it
- Notify consumers that the data has been backed up or archived and will be deleted when those systems are next accessed
- Maintain records of the request
The same system exists for right-to-know requests but essentially in reverse. The business must verify the consumer’s identity and disclose the data. Exceptions to disclosure are allowed for security-sensitive information.