February 7, 2020
TABLE OF CONTENTS
As of June 2018, the state of California passed a new privacy law that could lead to more consequences for US-based companies than the European Union’s General Data Protection Regulation (GDPR). While the new California law doesn’t include some of the more severe GDPR rules like a 72-hour window for a company to report a breach, some would vote that the CCPA is actually stricter in certain areas.
The GDPR specifically requires businesses within the EU to protect personal data of EU citizens when data activities occur within EU member states, and it also regulates the export of EU citizen’s data outside the EU. The GDPR was put into place because of numerous high profile data breaches that have occurred within the EU in the past few years and the public’s concern for data safety.
According to a 2018 RSA security survey, out of 7,500 consumers within countries like France, Germany, Italy, the UK, and the US, 80 percent said lost financial and identity information was a top concern. With actual data breaches and the public’s stressed concern for personal information, one can easily see where the demand to enhance online privacy comes from.
The GDPR’s ripple of integrity for personal data in many ways seems to have served as the foundation for the state of California to approve a similar bill, the California Consumer Privacy Act (CCPA). The CCPA can be seen as an act to help give users the power to choose if they give consent for their data to actually be collected. So while the GDPR forces companies to be extremely protective of their personal data, the CCPA looks to enforce that and more.
For instance, the CCPA is forcing the presence of a clickable link on all websites and apps that fall under certain criteria to have to be present on every accessible online page. The links usually say some text along the lines of “Do Not Sell My Personal Information” or something very similar. This link will act as the gateway to allow the user to do many things with their personal data, including removing any previously stored data from one’s system.
With data access and data manipulation requests coming from the user, businesses will now be forced to organize all of the collected data in a way that will give them the ability to return a user’s collection of data. The CCPA requires companies to return requested data to a user in 45 days or less, or they will be subject to a penalty.
While this may seem like a simple request with that amount of time, it will cause many businesses a great deal of headaches. Subra Ramesh, SVP of Products at Dataguise, had this to say, “First the amount of data they collect is already massive and continues to grow, often in the hundreds to thousands worth of terabytes, and with enterprise-level organizations processing petabytes of data.” So it’s safe to say this request to return could be problematic for companies with larger sets of data.
The CCPA also requires companies to give users transparency into the sale of their data. The CCPA covers the previous 12 months of data transactions, meaning companies are required by this law to provide the names of every company to which they sell data. Tsopanis said this law update alone “Will change the privacy landscape in America forever.” Companies will no longer be able to hide whom they are involved with for data transactions. This amount of insight could potentially hurt a brand’s image based on where they sell users’ data.
The CCPA has a broad definition of what it considers personally identifiable information (PII). The includes, but is not limited to:
A typical website is likely to store a variety of information about the user upon visiting, most likely in the form of a cookie. These can be split into a number of different categories: first party, third party, performance, analytics, or general functionality. It is highly likely that the user’s personal information is used by these cookies, especially by third parties for advertising purposes. Under the CCPA, a user will be offered the ability to see a description of the types of cookies a site uses, along with the ability to opt-out of anything the site does not require to function.
Under the CCPA, consumers have these essential rights regarding their personal information:
Personal data sales have been a primary & secondary source of revenue for many big-name companies. But as of January 1, 2020, this source of income and user information is no longer a guarantee. The CCPA law applies to many big-name companies across the US, not just ones with a presence in California. This is due to the CCPA’s criteria which enforce companies to be compliant if they have at least 25 million in annual gross revenue, or have personal data on 50,000 or more people/households, or if the company earns half of its revenue selling California user’s data.
So with these new California state laws in place, who will be the one to ensure that these guidelines are followed? The attorney general within California will be in charge of enforcing the viral law against any company that breaks it, but there are multiple sources stating that the attorney general Xavier Becerra’s office will only have a limited number of resources to pursue a finite number of cases per year.
Companies that are non-compliant with the CCPA will be hit with hefty fines. Specifically listed by the Attorney General, companies that are non-compliant 30 days after being informed are at risk of being penalized up to $7,500 per violation. So this means if you have 100 users, you could be at risk for being hit with a fine up to $750,000 ($7,500 x 100).
There are many steps in regards to how one might implement the CCPA changes to their website and organization in order to be CCPA compliant.
Start by preparing your consumer data. You’ll need to know the answers to the following questions: What personal data do you currently collect, how do you collect it, where and how do you store it, who do you share your collected data with? Do you sell it, and how often do those selling transactions occur?
Ensure customers are allowed to opt-out of data collection. This is done by adding the “Do Not Sell My Information” link on any accessible page on your site. This link will allow visitors to make requests to read, stop, or delete the collection of data you hold on them. These links should be wired up to fully working features that have access to all of your collective user data. Once the user clicks the link, they’ll then be able to request to see their current data or delete it. This process is dependent partially on how you prep for your consumer data and how you structure your data on your servers to handle these newly scoped queries.
Plan out how your organization will handle customer requests and the process that will follow that request. The CCPA requires companies to answer data-related requests within 45 days. Some of these requests and services will range from the following:
By following these guidelines, Levvel has helped multiple companies achieve compliance with data privacy and security laws such as GDPR, CCPA, PCI, and others. We provide the ability to partner from strategy to implementation with businesses that need to become compliant, or ones that want help polishing their already implemented processes. Our experience within this realm can make this procedure smooth and simple for businesses of any size. Contact us today to learn more about how our services could better prepare you to serve your customers and stay compliant.
The next big announcement will come into play on July 1. This is the deadline for the attorney general to finalize regulations specifying what companies need to abide by in order to stay fully compliant with the law. Many businesses hope these regulations will help clarify the unclear aspects of this law.
In July, Californians will be allowed to sue businesses for specific data breaches, and the attorney general will be able to start enforcement actions. There are also rumors of a November ballot that could expand the privacy rights of the CCPA to bring even broader protection to online users.
Meet our Experts
Matt White is an engineering consultant at Levvel. He got his start in the tech industry working as a full stack web developer for Bank of America where he worked on an internal static site generator. Matt has also assisted teaching, and is a graduate of, UNC Charlotte's Full Stack Web Development bootcamp.
Joe Grady is an engineering consultant at Levvel where he helps clients solve issues related to web development. Prior to Levvel, Joe worked at Investor Management Services, a FinTech startup recently acquired by RealPage. In addition, Joe's full-stack abilities in combination with his business degree have assisted him in running multiple e-commerce businesses.
You're doing big things, and big things come with big challenges. We're here to help.