Guest Column | December 5, 2019

Understanding The California Consumer Privacy Act And Other State Data Privacy Laws

By Ryan Hogan, Director of Strategic Advisory Services, BSI

California Data Privacy Bills

On January 1, 2020, a new law goes into effect for companies that do business in California and hold their customers' or California employees’ personal data. Although it is called the California Consumer Privacy Act (CCPA), the impact of this sweeping law will be felt around the world.

If your business is under the CCPA's umbrella, there are steps you must take to comply with the law before enforcement begins on July 1, 2020.

What Is The CCPA?

The CCPA is a law that aims to protect Californians and their data. In the wake of high-profile data breaches at some of the largest and most high-profile retail and financial organizations, California — which has a history of implementing laws by way of proposition — stepped in with guidelines that are designed with data security in mind. Not complying can result in hefty fines and settlements.

The California State Legislature passed the CCPA on June 28, 2018, and the bill was subsequently signed into law by then-Governor Jerry Brown the same day. Several amendments have been added since, including a set of seven that current Governor Gavin Newsom signed in October. The law is directed at companies that do business in California, collect personal data, and meet at least one of the following criteria:

  • Have gross revenue above $25 million per year;
  • Hold the personal information of at least 50,000 consumers, households, or individual internet-connected devices;
  • Derive more than half of their annual revenue from selling personal information.

The law's reach will stretch across the whole world, since California has the fifth largest economy on the planet.

What's In It

The CCPA contains multiple layers of data protection ranging from a requirement that businesses make public disclosures regarding the rights of Californians, to a process to for customers to assert their rights under the CCPA, to forcing businesses to provide notice and methods for opting-out of data sharing.

A related law creates a "data broker" registry within the state of California, which will fall under the office of the attorney general.

What Businesses Need To Do

Whether your business is located in California, New York, or even a foreign country, if you fulfill the minimum requirements listed above and have customers or employees in California, you will be subject to the CCPA.

If your business also meets the qualifications for a data broker, it needs to be registered with the California attorney general as a "data broker."

It's recommended that companies conduct a full review of their privacy practices and how they handle customers' data. Any gaps should be addressed and filled, so the business is covered in the event of a data breach.

Online-only businesses must have an email address listed on their websites for customers to request opt-outs. All other businesses need to maintain both an email address and a phone number for this purpose. The law also requires companies to put a link on their website homepage that reads "Do Not Sell My Personal Information" and points to an opt-out page of the website.

Businesses also will need to acquire opt-in authorization before selling the personal information of anyone under the age of 16.

What Consumers Can Do

The CCPA gives consumers the power to file class-action lawsuits in the event of a data breach that would pay out as much as $750 to every affected California resident per incident. Therefore, it's likely that consumers will play the largest enforcement role in the law, as they are the ones directly impacted by a data breach. Especially since the California attorney general’s office worries they will not have the staff capacity to manage the enormous workload that CCPA enforcement will require.

This threat of class action lawsuits in the wake of any security incident that involves a data breach reinforces the importance of working hard to prevent security incidents and follow what the law says. Any significant incident will likely lead to a review of compliance with the CCPA by the California Attorney General’s office.

Not Just California

The Golden State is making headlines because of its sweeping data security protections, but several other states have some form of data privacy laws to protect consumers.

Here's a brief look at those states:

Illinois: Effective January 1, 2020

An amendment to the Personal Information Protection Act requires companies to inform the state legislature of a data breach involving customers' information and provide all of the relevant details.

Maine: Effective June 6, 2020

A privacy law prevents internet service providers from using, disclosing, selling, or permitting access to their customers' personal information without direct consent.

Minnesota: Current law

The internet Privacy Law says that internet service providers must keep their customers' personal information private unless direct consent is given.

Nevada: Current law

An amendment to the state's privacy law went into effect on October 1, 2019 and stipulates that businesses provide an online method (an email address or a form) or a toll-free phone number that allows customers to opt out of their personal data being sold. Exempt from the law are entities subject to HIPAA and certain motor vehicle manufacturers and service providers.

Utah: Current law

Utah has two data privacy laws on the books: one requires all non-financial businesses to inform customers which data is sold for direct marketing purposes or compensation, while the other one protects data stored with third parties such as Google and Facebook from law enforcement and other government entities unless a warrant is obtained.

Vermont: Current law

The state requires all "data brokers" to register with the attorney general annually and provide customers with detailed disclosures about how their personal information is handled.

Similar bills are making their way through the legislative process in Hawaii, Maryland, Massachusetts, New York, Pennsylvania, and Washington.

With the 2020 deadline quickly approaching and many other states following suit, is your business prepared to meet the CCPA requirements and consumers' demands for greater accountability, transparency, and control of their personal data?