When the European Union’s General Data Protection Regulation (GDPR) came into effect, the stipulations of this act had far-reaching ramifications for organizations across the globe. Unlike other legislation that typically limits its obligations to legal entities operating in its jurisdiction, the GDPR forced organizations that were not located in the European Union (EU) to adopt its terms and conditions or face financial penalties.
The core tenet of the GDPR was that any organization that processed the data of EU citizens was accountable for protecting EU customer data. This directive meant that even if an enterprise had no legal representation in the EU, they still needed to adopt the rules and put the appropriate measures in place to comply with the regulation.
Soon after the GDPR became enforceable on May 25th, 2018, the state of California passed its Consumer Privacy Act of 2018. The CCPA becomes effective on January 1, 2020. Similar to its European counterpart, this state legislation demands that organizations managing the personal data of Californian citizens need to put particular measures in place to protect the information under their care.
The California Consumer Privacy Act
The California Consumer Privacy Act of 2018 (CCPA) has transformed the way enterprises have traditionally stored, processed, and sold personal consumer information. Its primary goal is the protection of individual privacy and allows consumers to access their data as well as opt-out of having it shared with third-parties.
In addition to the stated consumer rights, the CCPA also provides Californian residents with the right to be forgotten. It also allows organizations to compensate consumers if they agree to the sale of their personal data. With an effective date of January 2020 rapidly approaching, organizations that need to comply with the provisions of this act need to have the appropriate systems and processes in place.
CCPA Compliance Thresholds
Similar to the GDPR, the CCPA’s reach is not limited to organizations that are resident in California. Any enterprise that stores or processes the information of any California resident and exceeds any of these three thresholds needs to comply with its regulations:
- Any business that has an annual gross revenue that exceeds $25 Million.
- Any enterprise that derives 50% or more of its annual income from selling personal information.
- Any organization that buys or receives the personal information of more than 50,000 consumers, households, or devices annually.
CCPA Compliance Requirements
If your organization processes or stores the information of California residents and exceeds any one of the three stated thresholds, you need to comply with the stipulated provisions of the CCPA. These compliance requirements include:
- Informing consumers of the type of personal information your business will be collecting, storing, or processing.
- Clearly defining the purpose and outlining the reason behind the personal data being gathered.
- Implementing the appropriate measures to respond to individual consumer requests regarding their personal information.
In addition to these measures, the CCPA also has specific provisions for the protection of children. Compliance with this legislation requires organizations to obtain explicit consent from parents of children younger than thirteen.
Proactively disclosing when personal data is sold or exchanged for other commercial services is also a CCPA mandatory requirement. Another core principle enshrined in the CCPA is that enterprises must give consumers the ability to opt-out. If Californian residents do not want to share their personal information with third-parties, organizations must honor this decision for no less than twelve months.
Organizations that fail to comply with this piece of state legislature face financial penalties that range from $2,500 per violation up to $7,500 if the non-compliance is deemed intentional. In addition to these monetary sanctions, organizations also run the risk of reputational harm. Many believe that this act is a reaction to the flagrant disregard for personal privacy as revealed by many scandals such as the one involving Facebook and Cambridge Analytica in early 2018.
Prepare Your Business for the Rise of Digital Privacy
Online privacy has become a central theme for many users that embrace digital services. The GDPR and CCPA are reactions to this growing demand from both consumers and governments. Moving forward, organizations need to take responsibility, secure, and ethically use the personal information that they collect, process, and store. The need for absolute transparency has become a vital business requirement in today’s digitally-driven economy.
Even if your organization does not need to comply with the GDPR or CCPA, you need to start implementing the appropriate processes, policies, and technologies to meet their stated objectives. The consumer demands for privacy and transparency are only going to increase, and it is only a matter of time until other states and governments enact similar legislation.