Governor Jerry Brown last month signed into law the California Consumer Privacy Act. The CCPA is the state’s response to a growing concern thatconsumers need stronger means to protect their personal information.
The issue came to a head in part due to recent breaches that exposed thepersonal data of millions of American consumers. However, the CCPA alsoaddresses other privacy incidents that have affected millions of people in California and beyond.
The new law, which is viewed as one of the most far-reaching consumerprotection privacy laws in the United States, will go into effect onJan. 1, 2020.
At that time, businesses will have to comply with a range of new requirements. The CCPA’s end goal is to ensure that consumers enjoy “choiceand transparency” when it comes to their personal information. Forcompanies based in California, or for those that do business with clients or customersin California, this could be a truly big deal — and it isn’t somethingany business should ignore.
However, CCPA isn’t the only new privacy law that online businesses –big or small — need to take notice of at this time. TheEuropean Union’s General Data Protection Regulations went intoeffect this spring, and even with two years of warning, manycompanies were caught off guard. Many companies geo-blocked their content from IP addresses in Europe as a response to the new regulations.
EU lawmakers approved the GDPR more than two years ago to replace the previous Data Protection Directive in the 28-nation bloc. The goal of the GDPR wasto give consumers greater control of personal data collected by companies online. It applies not only to organizations that are located within the EU, but also to companies outside the region if they offer goods or services in the EU or have any type of digital footprint with consumers there.
CCPA has been the center of controversy, as its many critics have contended that it was a hastily passed law that came about only as part of deal brokered bythe state legislature and Brown as a way to avert whatcould have been an even more costly fight over a proposed ballotinitiative.
That proposal, which was backed by the state’s privacyactivists, could have resulted in an even more stringent measureappearing before California voters in November.
CCPA grants residents in California the following rights: 1)to know what personal information is being collected about them; 2)to know whether their personal information is sold or otherwisedisclosed and to whom; 3) to say no to the sale of their personalinformation; 4) to access their personal information and requestdeletion under certain circumstances; and 5) to receive equal serviceand price, even if they exercise their privacy rights.
At this point it is still unclear as to how CCPA actually will beenforced, but those violating the law could face fines ranging fromUS$100 to $750 per consumer per incident. More importantly, CCPA alsoempowers the state’s attorney general to pursue cases againstbusinesses for damages of up to $7,500 per instance for “intentional violations.”
“CCPA deals with the data of California consumers,” said Laura Jehl, apartner with BakerHostetler and co-leader of the firm’s General Data Protection Regulation initiative.
“Not that many businesses online in the United States don’t have anyCalifornia customers,” she told the E-Commerce Times. “If you offer goods and services and don’t comply with the law, you could face a fine. In California, it is also up to thediscretion of the state’s AG to determine whether to go after violators.”
GDPR and American Companies
American companies — especially smaller firms — may think they won’t be affected by the EU’s GDPR, but that could be as far-reaching,or even more so, than CCPA.
“U.S. small businesses may or may not need to address GDPR compliance,as GDPR applies to any EU business and companies that process thepersonal data of EU citizens,” said Greg Sterling, vice president ofstrategy and insights at the Local Search Association.
“If U.S. small businesses are involved in the collection, storage orusage of personal data of EU citizens they will need to comply, but ifthey have no dealings with EU citizens they do not,” he toldthe E-Commerce Times.
Yet “GDPR is already relevant to American businesses that provideservices through the Internet, as they often have internationalcustomer bases and provide services to EU countries,” said Erik Ashby,principal program manager atHelpshift, a San Francisco-based customer support technology platform.
“If EU citizen data is involved, businesses must have opt-in consentfor storage and use of that data — consent is mostly not required forlegal uses of pre-existing data,” added LSA’s Sterling. “In asking forconsent, businesses must inform people of the specific, intended datauses, while data owners have a right to revoke consent and withdrawtheir data at any time.”
Devil in the Details
GDPR is very specific in terms of its rules as well.
“Consent for one purpose can’t be used to justify another, unrelatedpurpose,” explained Sterling.
“Categories of ‘sensitive’ data — e.g., children — carry additionalrequirements,” he noted. “Large-scale data processors, which most small businesses are not, may require the hiring of a data protection officer as well.”
Here is where the devil could truly be in the details, as data mustbe maintained in a secure and appropriate way for its intended use,and it should not be accessible to unauthorized parties. Further, data breachesmust be communicated to victims — and potentially authorities — in atimely way.
“There must also be procedures in place to enable the owners of thepersonal data to access or request that it be deleted,” Sterling pointed out.
“As we have seen with CCPA, we expect that other governing bodies willfollow the precedent set by the EU with GDPR,” Helpshift’s Ashby told the E-Commerce Times. “Most importantly, GDPR provides a set of basic guidelines that arefundamental to protecting customers, regardless of where they are.”
Businesses still have time to prepare for CCPA, but companies that are not yet compliant with the EU’s GDPR face serious fines of up to 4 percent of annual globalrevenue or 20 million euros (US$24.6 million), whichever is larger.
“This is a much stricter law, as GDPR makes very few exceptions whenyou process data, and it doesn’t matter if you are a small business oreven a not-for-profit,” warned BakerHostetler’s Jehl.
“GDPR is about protecting the data of EU citizens, and whether you haveoffices in the EU or not you still need to be compliant,” she added. “An example could be a small hotel chain that has had EU customers inthe past, and decides to market to them via email or online — and whenyou do so, you need to be compliant in how you use their personaldata.”
Fine Time in the EU
Firms that are found in violation of the law could face those rather hefty fines.
“What we have seen is that EU regulators have indicated that theywon’t enforce the full extent of the fines in the first couple ofmonths, and that is a good sign for businesses that aren’t yetcompliant,” said Jehl. “The good news for smaller firms is that they aren’tlikely to be the first in the crosshairs.”
However, the EU isn’t likely to ignore violators for long, especiallymajor international firms. Larger tech companies could bethe first in its sights, as it has a long track record ofimposing large fines on big businesses.
Between 2013 and 2017 the European Commission imposed finestotaling 8.472 billion euros ($9.54 billion). Those numbers don’tinclude the 1.06 billion euro fine imposed on Intel in May 2009 forabusing its market dominance on central processing units, orthe 900 million euro fine imposed on Microsoft in February 2008 for”unreasonable” royalty fees.
“They may start with the bigger tech companies, but they will bringsome action on smaller companies or outliers as well,” added Jehl.”They have to defend it or they risk losing the power of the hammer.”
CCPA may not go into effect for another year and a half, but Americancompanies may need to ensure they’re prepared for it.
“Although California’s law is more limited than the GDPR in manyrespects, its implications will likely be felt more broadly by U.S.businesses — including mid-sized firms that use third-party data but donot operate in Europe,” warned Ryan Radia, research fellow andregulatory counsel for the Competitive Enterprise Institute.
“California’s law does include express carve-outs for smallbusinesses, however,” he told the E-Commerce Times.
“Although most large technology companies that interact directly withusers now provide a mechanism for individuals to view or delete theirinformation, thousands of companies that will likely be subject to thenew California law have yet to provide for such a mechanism,” henoted.
“There’s likely to be nontrivial compliance costs for many of thesecompanies, and California is also better positioned to actuallyenforce its law against U.S. companies, whereas the EU may encountersome challenges if it seeks to enforce the GDPR against U.S. companiesthat have no physical presence or assets in Europe,” explained Radia.
As it now stands, the fines that California could impose are on thesmaller side. However, apart from what the AG could do with more egregiousviolators of the law, there is a concern that CCPA could have animpact on companies of all sizes.
“We do see a scenario where privacy zealots would push to go aftersmall companies because the law would allow it,” said Jehl. “However, the enforcement mechanisms are rather unusual, so it is hard to tell how this will eventually play out.”
That said, CCPA “will be the strictest privacy regulation in the U.S.,and it may wind up becoming a national standard as a practicalmatter,” said LSA’s Sterling.
“It’s chiefly aimed at data brokers and large processors of data suchas Google, Facebook and other online advertising and marketingcompanies,” he noted. “Any company doing business in California or usingCalifornia citizens’ data will have to comply.”