As we enter 2019, many California law firms, corporations, and businesses must turn their attention to the California Consumer Privacy Act (CCPA). Much like the European Union’s General Data Protection Regulation (GDPR), the CCPA will set forth new requirements for securely handling consumer data. Due to the specific qualification criteria of the law, many of the businesses affected will be in the insurance and legal industries. In this article, we’ll cover the basics of CCPA requirements and the expected impact for businesses.
Is your business going to be affected by the CCPA?
First and foremost, the CCPA only applies to for-profit companies. These companies must collect and process personal information of Californians, but do not need to maintain a physical location in the state. The business must comply with CCPA requirements if it meets even ONE of the following criteria:
- The business must generate annual gross revenue in excess of $25 million;
- The business must receive or share personal information of more than 50,000 California residents annually; or
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
How does the CCPA define personal information?
In order to accurately determine the effect of the CCPA on your business, you’ll need to assess the information you collect on your consumers. The CCPA defines personal information very broadly, meaning that it is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Based on this definition alone, most legal and insurance-related businesses would qualify. Medical businesses governed by California’s Confidentiality of Medical Information Act or HIPAA are exempt. The CCPA takes the definition one step further and includes examples of personal information. The law names Social Security numbers, driver’s license numbers, purchase histories, and digital identifiers as “personal information,” which significantly broadens the scope of affected businesses.
What does the CCPA mean for consumers?
The goal of the CCPA is to give consumers more privacy and control over their personal information. The law will accomplish this by creating the following policies:
- Business must publicly post a notice disclosing what information is being collected and used, and to whom it will be sold or freely disclosed.
- Businesses must create a simple and seamless process to opt-out of the sale of personal information.
- Business must delete all personal information at the request of the consumer and must notify the consumer that they have the right to make such a request.
- Businesses may not discriminate against those who exercise their rights under the CCPA, and they generally may not charge additional fees based on whether consumers have opted in or out of data protection.
How will the law handle businesses who don’t comply?
Fortunately for many California companies, the CCPA will not take effect until 2020, which creates a lengthy runway for businesses to prepare for compliance. However, in situations where a business fails or refuses to comply with the CCPA, consumers may file lawsuits and could be subject to civil penalties.