CCPA—Not Just for Californians
By Axiom Law
When the California Consumer Protection Act (CCPA) goes into effect on January 1, 2020 it won’t just impact consumers and businesses headquartered in California, but a wide range of companies who do business in the state. By one conservative estimate based on US Census data, the CCPA will impact over 500,000 companies, including those who make over $25 million in gross annual revenue. By expanding data privacy laws and protections for consumers, the CCPA also raises questions about the future of data privacy regulations and how regulations will evolve as more jurisdictions, including other US states, pass privacy legislation. As privacy regulation reshapes how companies do business around the world, here’s a look at some important aspects of the CPPA that companies need to know about the law and its potential consequences, regardless of their location.
Who does the law apply to?
First and foremost, the CCPA covers all residents of the state of California. It also covers all companies that do business within the state that meet one or more of the following criteria:
- Make over $25 million in gross revenue
- Annually buy, receive, sell, or share the personal information of 50,000 or more consumers in for commercial purposes
- Derive 50 percent or more of its annual revenues from selling consumers’ personal information
As California is the 5th largest economy in the world, the consequences of the CCPA will be widespread and felt by a wide range of businesses and industries beyond the state itself.
What are some important aspects of the law?
The CCPA expands protections for consumers around how their data is bought, sold, and utilized. It employs an expansive definition of personal data, which, according to a report by One Trust includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA empowers Californian consumers with some of the following rights when it comes to their personal data:
- The right to request information about how their data is being sold or exposed
- The right to have personal data deleted
- The right to opt out of personal data being shared or sold
In addition, certain businesses who have over $25 million in gross revenue must inform consumers that if they are collecting their data. Under the law those business must inform consumers how their will be used, are obligated not to discriminate in the handling of consumer requests, and must deliver the requested information to consumers free of charge.
What are some of the risks associated with the law?
The impact of the CCPA for companies will go beyond the financial consequences caused by violations, and extend into how businesses budget, plan, and staff for their teams.
Enforcement of the CCPA which will begin July 1, 2020 and violations could result in millions of dollars of fines for companies, including:
- Civil penalties of up to $2,500 per violation
- Civil penalties up to $7,500 per intentional violation
- $100 to $750 per individual California resident or coverage of the actual damages caused by a data breach
The CCPA also gives the California attorney general more power to pursue companies who violate the law. In addition to the fining power of the CCPA, companies also must consider the reputational damage that security breaches and violations could cause.
Beyond a potential financial and reputational impact, preparing for and complying with the CCPA will create several major challenges for businesses, due to the fluctuating and uncertain nature of the law and its enforcement. CCPA brings:
- Uncertainty around budget and the number of team members necessary to handle an unknown volume of consumer requests
- Increased risk due to lack of precedent—how will the law be enforced and how stringent will regulators be?
- Competition for lawyers specialized in privacy—to ensure compliance with the CCPA, companies must engage a highly-sought after privacy expert
In addition to these challenges, the longer term consequences of the CCPA are still unknown to privacy experts.
How might it shape the future of data privacy?
Given the size of California’s economy, the CCPA is currently the major piece of data privacy legislation in the United States. However, other states, including Washington, Nevada, Massachusetts, and New York, are introducing their own privacy legislation. The question for companies doing business in these states is how this legislation will adhere to or differ from California’s law.
Axiom attorney and privacy expert Angelo Basu remarks, “This is where there’s a risk for companies from a privacy perspective. Will new regulations gravitate more towards GDPR, which will make compliance relatively straight forward, or will the global center of gravity shift towards California or another jurisdiction? We may end up with a load of inconsistent laws, which will require a more fragmented approach and put more risk into business.”
While some details about the law are still unknown and the longer-term implications of the CCPA are not yet possible to predict, companies must still prepare to comply.
What are possible actions businesses can take to prepare?
According to a study conducted by the International Association of Privacy Professionals and One Trust found that only 1 in 4 businesses are highly prepared for the CCPA and just over 50 percent will be ready by January of 2020. Adding to the challenge of preparing is the fact that the detailed requirements of the CCPA are still in development, despite the deadline for compliance rapidly approaching. Complying with the CCPA, along with other upcoming privacy regulations, is not a one-and-done solution. Instead, privacy should become central to a company’s everyday business operations in order to make compliance part of standard operation procedures.
While privacy compliance is an evolving process, companies can take the following steps now to help prepare for the CCPA:
Review current privacy policies: Understand what policies are already in place, how they are incorporated into day-to-day business operations, and what needs to be updated as to comply with the CCPA.
Build your privacy team: Privacy regulations impact departments as varied as legal, HR, Sales, procurement, business operations, and IT. Put together a privacy task force and appoint or hire a senior-level privacy officer who can ensure privacy and compliance is strategically addressed across your organization.
Operationalize privacy: Work across business units to fold privacy compliance into your workplace culture, training, and business operations. Iterate and improve on privacy-related functions such as responding to consumer requests about personal data collection. Continue to work with privacy specialists to understand and align with changing privacy regulations.
You have several options to aid your team as you audit your privacy function and build your team in advance of the CCPA:
- Hire a team of sought-after privacy attorneys
- Outsource privacy work to a law firm
- Scale your legal department according to need with flexible privacy experts from a legal talent provider such as Axiom
With a bench of over 200 privacy attorneys to draw from, Axiom’s lawyers can provide the extra capacity and privacy expertise you require. Axiom can work with your specific needs, whether it’s a single lawyer or a team of privacy experts. With experience working on over 116 privacy engagements in 2018 alone and a deep understanding how privacy regulations impact businesses globally based on GDPR engagements and previous work experience, Axiom’s attorneys can help you develop an actionable plan and enable your business to be fully prepared to comply with the CCPA.
Privacy regulations like GDPR and CCPA present a growing challenge for companies no matter their location. Here’s how legal departments can effectively implement and maintain compliance.
Lawyer Angelo Basu examines the business impact of privacy regulations like GDPR and CCPA.