California just passed its California Consumer Privacy Act (CCPA), a law that protects the privacy rights of consumers within the state. Similar to Europe's General Data Protection Regulation (GDPR), the CCPA will affect many businesses who collect personal information from those in California. Here's everything you need to know about the act, and what you can do to prepare as a small business owner.
What is the CCPA?
Matt Dumiak, director of privacy services at CompliancePoint, and Greg Sparrow, senior vice president and general manager of CompliancePoint, said that the CCPA is a bill that will require businesses to implement new policies and procedures to ensure protection of personal information. This includes privacy policies, security protections and facilitation of consumer rights.
However, businesses are not required to honor all consumer requests. Each should be analyzed to ensure the business is only honoring those applicable, they said.
According to the CCPA website, the act protects the following consumer rights:
- Right to know all data collected on them, including what categories of data and why it is being acquired, before it is collected, and any changes to its collection
- Right to refuse the sale of their information
- Right to request deletion of their data
- Mandated right to opt-in before the sale of information of children under 16
- Right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired
- Enforcement by the Attorney General of the State of California
- Private right of action should breach occur, to ensure companies keep their information safe
Dumiak and Sparrow said that business have 45 days to respond to consumer requests; and any damages that occur due to a breach are limited to $750 per consumer per incident.
The CCPA, before it was in amendment with Assembly Bill 375, originally had more stringent regulations that might have nearly paralyzed the tech industry, which has thrived in California's Silicon Valley. But Dumiak and Sparrow noted that the official CCPA allows businesses a 30-day window to amend any violations, so long as they can prove they have been amended and that no more will occur. Otherwise, violators might face penalties of up to $7,500 per intentional violation.
How does it affect SMBs, and what can they do to prepare?
Dumiak and Sparrow noted that the bill will apply to "any business that earns $25 million in revenue per year, sells 50,000 consumer records per year, or derives 50 percent of its annual revenue from selling personal information." This includes businesses that collect or sell personal information from consumers in California, regardless of where the company itself is located.
The average annual revenue for a small business is less than $25 million. In fact, for businesses with between 20 and 99 employees the average revenue is $7,124,000 million, according to Quickbooks. While the qualifications to be affected by this bill might exclude many small businesses, it doesn't mean you shouldn't prepare.
"The CCPA provides small businesses with incentive and motivation to start thinking about the personal data processed and protected within their business environment," said Dumiak. "Most organizations feel resource constrained and small businesses are no different, if not more so."
"California's law will raise the bar significantly, and this won't be the last time it's raised as states seek to emulate the EU's new GDPR," added Robert Cattanach, a partner at Dorsey & Whitney who helps clients navigate regulatory law. "This measure is likely to increase litigation as more consumer rights are created and expanded."
While California is just one state, its regulations are spreading awareness and encouraging like-minded individuals to speak up and take action. Businesses should expect similar laws to be passed across the country in the next few years.
"Congress will feel pressure from both pro-privacy advocates to endorse the rights created by California, and businesses to try to bring uniformity to what is increasingly a dynamically evolving policy area," said Cattanach. "The bottom line is that this leverages on the concepts contained in GDPR and is certain to be picked up as the standard by other states."
The CCPA will not go into effect until 2020, so small businesses have a little time to prepare. To do so, Dumiak said, they should review areas of business including:
- Information security posture
- Personal data processing
- Honoring of access requests
- Other applicable rights or requirements
"Further, the fines and privacy right of action while having an impact on any organization, will arguably be a larger percentage of their revenue and more impactful on business operations and revenue," said Dumiak. "While many see regulation as a headache, this regulation is a terrific opportunity for organizations, small and large, to get much needed resource help in the security and business operations space."
If your small business hasn't already hired a data processing consultant to make sure your company is compliant with GDPR, now may be the time to investigate such a professional. You may want to look for someone who is certified by the International Association of Privacy Professionals (IAPP). It is the largest and most comprehensive global information privacy community, which contains some 40,000 members.