In 2018 and 2019, the buzz in online digital circles was about “GDPR” – Europe’s General Data Protection Regulation that outlined all the roles and responsibilities of companies and brands in relation to data privacy. And now in 2020, look for a similar amount of buzz to surround “CCPA” – the California Consumer Privacy Act that went into effect on January 1, 2020. If you’re a brand or company, it’s only natural to ask: “What exactly is the CCPA and how does it impact me?”
Overview of CCPA
In many ways, the new CCPA is California’s response to the GDPR. That means if you are already in compliance with GDPR, then it shouldn’t take much more effort to get into compliance with the CCPA. Taking a broad overview approach, both the CCPA and the GDPR attempt to give consumers greater control over their data and significantly beef up their data privacy protections. Both regulations start from the perspective that online privacy should be a fundamental right, and that companies shouldn’t be able to buy, sell, and trade your data without you being able to have a say in the matter. As a result, the CCPA extends a number of protections to consumers, such as the right to request that companies stop selling their data to third parties (such as advertisers). At any time, too, consumers can demand to see all the information that companies have been collecting on them.
It would be a miscalculation, however, to assume that the California Consumer Privacy Act only involves companies based in California. Broadly speaking, the CCPA applies to all companies doing business with California citizens. If your company has more than $25 million in annual revenue, or if you collect the personal data of more than 50,000 people, or if your company derives more than 50 percent of its revenue from the sale of personal data, you need to look into CCPA compliance. Microsoft, for example, has already said that it would honor the CCPA wherever it does business, despite the fact that its home base is in Washington State and not California.
Why brands need to be aware of CCPA
The one big reason why so many people were talking about GDPR in 2018 and 2019 is because it established tough new penalties for companies that failed to comply their data privacy obligations. And it will be no different with the CCPA. Screw up in California and you might be facing some huge penalties. For example, if your company has been informed of a possible data privacy violation, and you do not fix things within 30 days, you could be looking at a penalty of $7500 per record. If you have thousands (or tens of thousands) of customers, you can easily see how this could result in huge fines and penalties. Moreover, there doesn’t even have to be a data breach involved – if a customer claims that you have unfairly used their biometric data (such as via a new facial recognition tool), you could be held responsible under CCPA.
The potential for lawsuits against Google and Facebook
Where things get really scary for brands and companies is when it comes to “the right to private action.” In other words, individual consumers will have the ability to bring private lawsuits against companies like Facebook or Google. In addition, it will also become much easier to file class action lawsuits for damages. If there’s one thing that scares companies, of course, it’s the risk of being litigated to death with lawsuit after lawsuit. Imagine millions of people across California filing lawsuits against Facebook or Google, and you can start to see why the CCPA could become a legal nightmare for these companies.
The future of CCPA
Just remember that the CCPA is still very much a work-in-progress. There are sure to be changes and amendments along the way, as well as a lot of maneuvering by the big Silicon Valley tech giants to get a new federal data privacy bill passed that will be a lot more lenient when it comes to their roles and responsibilities. But for now, the CCPA is de facto “the law of the land,” so keep a close eye on what’s happening out in California.