Did you know that the new California privacy law could have an impact on your business, even if you’re not based in the Golden State? Discover what the CCPA means for you, and for the future of data protection regulations around the world.
The arrival of the General Data Protection Regulation back in May 2018 served as a wake-up call for the rest of the world. No longer could businesses afford to be lackadaisical about consumer privacy or how they manage their data. With widespread implications not only for organisations within the European Union but for those based internationally as well, GDPR prompted lawmakers across the globe to not only take note but act. One of the first to do just that was the US state of California who, mere weeks after GDPR came into effect, signed into law their own updated data protection rules, known as the California Consumer Privacy Act (CCPA) of 2018. So far, so interesting, but what does any of this have to do with you? After all, your business isn’t based in California, it’s based in another US state entirely, or even in a completely different country.
Does that mean the California Consumer Privacy Act of 2018 doesn’t affect you?
Is it time to stop reading this article and go about your day?
Not exactly. Here’s the truth:
The Consumer Privacy Act Could Impact Your Business
In fact, according to the International Association of Privacy Professionals (IAPP), the legislation will apply to more than 500,000 companies in the United States. That’s not to mention the impact it’s likely to have internationally.
- But what exactly is this impact?
- How will the new Consumer Privacy Act affect your business?
At Relentless, we specialise in helping businesses manage their data protection and enjoy frictionless compliance with current legislation in a way that helps them to grow in today’s privacy-savvy culture.
Today, we’ll talk about why the new California legislation could impact your business wherever you are in the world and offer our expert insights on what you might need to do to ensure long-term compliance.
However, before we get to that, let’s first answer the one question that’s most on your mind:
What is the California Consumer Protection Act 2018?
Signed into law on June 28th, 2018, the CCPA takes its cues directly from GDPR, giving Californians many of the same rights as those laid out in the EU-wide directive. Putting the new bill together, lawmakers wrote:
- “California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information”.
- “It is possible for businesses both to respect consumers’ privacy and provide a high-level transparency to their business practices.”
- To ensure that businesses are both transparent and respectful when it comes to consumer privacy, the new act gives those consumers the right to request that a business discloses the following key details
- “The categories and specific types of personally identifiable information that it has collected about them.
- The types of sources it has used to collect that information.
- The reasons why it has collected that information, whether that’s to use it for business purposes or sell it onto a third party.
- The categories of third parties that the information will be shared with.
What else does the CCPA say?
Along with making it a requirement to meet those data requests at no cost to the individual, the new law gives businesses several other obligations These include:
Informing people about the categories of personally identifiable information being collected and the purposes that the information will be used before that data is collected or, at the very least, at the point of collection.
Provide the same levels of service and pricing to individuals who exercise their privacy rights.
Being sure not to sell on personal information if an individual has said no to this.
Does CCPA Apply to My Business?
Contrary to what some believe, the California Consumer Privacy Act doesn’t just apply to those businesses based within California. Rather, any business with customers in California can be affected if that business meets the following three criteria:
- The business has annual gross revenues which total at least £25 million
- For commercial purposes, the business either buys, receives, sells or shares the personal information of at least 50,000 consumers, households or devices.
- Businesses who generate at least 50% of their annual revenues from selling the personal information of consumers.
- This includes those businesses who are based in other US states, or even in other countries.
The immediate and long-term impact of CCPA
So, with all that being said, how exactly does CCPA affect your business? The most obvious answer is this:
If your business meets any of the above criteria, then you’ll need to be sure you’re fully prepared and fully equipped to deal with the deluge of data requests likely to come your way.
Most experts predict that Californians are going to be quick off the mark when it comes to exercising their new privacy rights. Requests are likely to come in two forms: Those from citizens who want to know what types of data you hold on them. Those from citizens who want to exercise what is often known as “the right to be forgotten” and have the data you hold about them deleted.
So if you don’t yet have a system in place to respond to those requests, now is the time to start putting one in place. Before you start panicking, however, here’s the good news.
CCPA doesn’t come into effect until January 1st, 2020.
At time of writing, that gives affected businesses under one month to get ready. But what about those businesses not immediately impacted by CCPA? What happens if you don’t have customers in California?
Does that mean you can forget all about data protection and carry on as normal? Not quite.
Here’s the thing:
The California Consumer Protection Act of 2018 is only beginning of a widespread shift in privacy culture. Yes, California may be the first US state to adopt a GDPR-like approach to consumer privacy, but they certainly won’t be the last. Georgia has already started working on new privacy laws, and many other US states are expected to follow suit.
In other words, by the first half of the next decade, we should well expect to see GDPR-style regulations become the norm across the United States as well as other non-US and non-EU countries.
So, even if you’re not immediately impacted by CCPA, you’ll still find it beneficial to make changes now and avoid getting caught out when new laws do start to affect you.
How GDPR Compliance Can Help You Prepare for CCPA
Of course, all this begs one very important question: What does your business have to do to get ready for the arrival of CCPA or other privacy regulations that could be implemented in the coming years?
In many cases, the changes you need to make to your systems, processes, or culture as a whole may be minimal, especially if you’ve already taken the necessary steps to ensure you’re fully compliant with the General Data protection Regulation. Remember, CCPA is directly influenced by GDPR just as most new privacy laws are expected to be in the future. So, if you’ve taken the necessary steps as outlined in our GDPR compliance assessment you may well find that you’re already well on your way to CCPA compliance
If not, don’t worry: Help is at hand.
At Relentless Privacy & Compliance we work with businesses across the globe to help them enjoy frictionless compliance with international privacy laws.
From training and consultancy that empowers your employees with the skills and know-how they need to protect your customers’ private information to hands-on support with developing the kind of secure, effective data protection processes that enable your business to thrive in the digital economy, we offer bespoke services tailored to help you achieve your long-term goals.
See our comprehensive CCPA Service to see how we can help you prepare for and achieve CCPA compliance