Companies in California have a new regulation to consider: the California Consumer Privacy Act (CCPA). The scrutiny that companies like Facebook brought to the tech industry over data privacy has expanded into all industries, and everyone doing business in California should take note.
What Is the CCPA?
As of January 1, 2020, the CCPA is law in the state of California — one of the first and most sweeping of its kind. And while it’s intention is to curb large tech enterprises, many smaller California businesses are completely unaware of the effect the CCPA will have on their companies.
Here are the most important things that companies need to know about the CCPA.
The CCPA may apply to many companies that are not based in the state of California. The CCPA definitely applies to companies in California that have more than $25 million in annual gross revenue, handle 50,000 or more personal records of Californians, or earn 50% of their revenues from the sale of private consumer information. However, it may also apply to companies that are “doing business in California,” which can expand the jurisdiction to companies without a physical presence in the state.
- The CCPA has a broad definition of personal information. Its definition is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes core demographic information like names and addresses, but it also includes things like IP address, network activity data, and biometrics. It may even include public information if that information is used in a certain way.
- The CCPA imposes substantial new obligations on companies within its purview. Consumers will enjoy many new rights under the CCPA, including a right to know about all data collected on them and the right to reject the sale of that data. Companies will be on the hook for providing easy access to these rights, including opt-out links on their websites and toll-free numbers for consumer requests.
What Is the GDPR?
Many experts believe that the European Union’s General Data Protection Regulation (GDPR) served as the inspiration for the CCPA. The landmark legislation was the first of its kind with such a broad scope. Here are the most essential aspects to know about the GDPR whether or not you have a business that is physically within the EU.
- The GDPR assumes control over any company that does business within the EU. Companies face huge fines if they are found to be out of compliance with even one piece of data of an EU citizen, whether that data was collected in person or online.
- The GDPR has affected the data privacy policies of companies across the world. Basically, if you want to do business in the EU, you will be in compliance with the GDPR. Countries that depend on the market in the EU do not want to run afoul of its regulators. Through the international courts, the EU also exercises jurisdiction that can be invoked over companies with no physical locations in the EU.
- The penalties for non-compliance are severe. Data breaches or non-compliance can bring penalties as high as $22 million or 4% of annual global turnover — whichever is more. Although the standard for this penalty is higher than with the CCPA, they are significant enough to ground many companies with just one instance of non-compliance.
Comparing the CCPA to the GDPR
The most important thing to know about these two regulations is that compliance with one does not mean that it’s following the other. This is also true of the other data agreements that will come under the inspiration of the CCPA and GDPR. They may be similar, but no company should take any of them for granted. Terms will likely differ in different jurisdictions, which is why startup companies are warned to hire proper legal representation for every territory a company will potentially enter.
The most important thing to know about the CCPA and the GDPR is that the burden of proof is on the company to monitor data privacy.
Regulators are looking to make examples of companies, even those that may not know the data that they collect. Both pieces of legislation have penalties for companies that unknowingly breach their policies. To avoid penalties, companies must stay informed and put protocols in place.
DataQ helps keep companies compliant as we’re considered a “Service Business,” which means that we solely process “business” data based on the direction of the business (this is similar to the Processor and Controller set up under GDPR).
The beauty of using DataQ is that it allows retailers to retarget more safely, here’s how:
- Our retargeting is based on email addresses versus cookies, which means that we have a record of when that email address entered that audience pool and when it was used.
- We can easily opt-out any individual from a targeting effort if needed.
Savvy companies are reading up on the CCPA and the GDPR, even if they do not believe they are doing business in either of those jurisdictions. The economies of California and the EU are so large that any company doing international business will likely find itself within the purview of one or the other at some point. Understanding how to stay in compliance will help companies to stay out of trouble now and in the future.