If you have a business in the European Union, during this last year, you’ve most likely been hearing nonstop about the General Data Protection Regulation (GDPR). If you also have one in the United States, then you know that there is no federal legislation that can compare to GDPR, but there are certain relevant laws that apply in specific cases. Such as the Health Insurance Portability and Accountability Act (HIPAA).
However, the California Consumer Privacy Act (CCPA) is being seen as the new GDPR for the US. In this article, I will try to explain to you why. I will tell you all you need to know about this upcoming legislation, what you need to do to stay compliant, and how 5CA is preparing for CCPA.
What does CCPA have to do with the gaming & tech industries? Well, CCPA applies to businesses that collect personal information within California, regardless of the industry they are in, that is why all companies need to be prepared for its arrival.
TABLE OF CONTENTS
- Understanding CCPA
- Who does CCPA apply to?
- When does CCPA start?
- Goals of the legislation
- Consumer rights under CCPA
- CCPA versus current laws
- What is 5CA doing about CCPA?
- Steps towards compliance – The CCPA readiness checklist
CCPA stands for California Consumer Privacy Act, it is a new bill that was passed on June 2018 that introduces new rights for consumers as well as obligations for various companies that are collecting their personal information.
Why is CCPA comparable to GDPR if it’s only for California? Well, that is an excellent question. The difference with CCPA is that it will impact a lot of big companies; not only those that are located in California - all of Silicon Valley - but also to all those who collect any data from California consumers, despite their location.
Thus, companies in the US will have to decide how to tackle this issue: do they want to adapt their websites and make them different for a) California and b) the rest, or do they want to unify this and apply it to every consumer?
Many seem to think that CCPA will be the first big step to the unification of this type of measure; while the law itself only applies to California, it is likely that companies will apply these measures country-wide, such as for example, a clear option to opt-out from individual’s information being sold. Moreover, California, being such a tech-hub, is trying to keep up with technological advances and that might spark this same type of legislation in other states, or even at a federal level.
Who does CCPA apply to?
CCPA will apply to businesses who obtain personal information from customers who are residents of California.
This means that there are a few different conditions that have to be met:
- Your company must classify as a business under CCPA. To do so, you need to meet either of the following three criteria:
- Have an annual gross turnover of over 25 million US dollars.
- Buy personal information of over 50 thousand consumers, households or devices.
- Derive 50% or more of your annual revenue from selling personal information from consumers.
Thus, if you meet either of these – or more – you classify as a business under CCPA. If not, then you are not considered as a business for the purpose of this law, and the rest of the obligations will not apply.
- You must be collecting personal information. This concept means ‘information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household’ and will include a comprehensive list of characteristics, such as:
- Identifiers like name, last name, nicknames or aliases, postal address, any unique identifiers, IP address, email addresses or account names, any ID, driver’s license, or passport number.
- Commercial information, such as products or services purchased, records of personal property, or other history of purchasing or consumer habits.
- Biometric information.
- Internet activity that might include browsing history, information regarding a consumer’s use of a website, apps, or ads.
- Geolocation data.
- Information regarding a person’s employment.
- Information regarding a person’s education (that is not publicly available).
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Conclusions reached based on other information such as mentioned above, to create a specific profile about a consumer, to reflect that consumer’s preferences, as well as their characteristics, proclivities, behavior, etc.
- The information you are collecting must be of consumers. So, if for example, this information is from your own employees, unless they are also customers, this will not be covered by CCPA.
- You must be a resident of California. If the data you are processing is from residents of other states, you are not bound by CCPA.
When does CCPA start?
CCPA will enter into force in January 2020. Although this might seem like plenty of time, it will require a lot of time and work, the sooner companies start working on this, the better. The good news is that if your company has prepared for GDPR, then you’re already more prepared than a lot of other businesses! If you want to know what the differences between CCPA and GDPR are, we recommend this article: CCPA vs GDPR
If you have already determined CCPA will apply to you, it’s important to start preparing for it. Interestingly, a recent survey carried by PwC in the US found out that about half of the businesses who will be affected by CCPA, claim to not be ready for it.
Goals of the legislation
The introduction of CCPA has a few different goals, but one of the main ones is protecting California’s residents right to privacy, by giving them a say in how their information is being used. This goal of CCPA to safeguard the Californian’s privacy is partly based on the current inability to carry out any sort of action online without having to provide any personal information.
It seems impossible to carry out any activities, from reading articles online, purchasing clothes at a store, to joining a social media group, to making any sort of appointment without having to provide multiple types of personal information. Thus, as CCPA says in its preface, it provides not only enforcement by the Attorney General but also provides consumers with a private right of action.
Being such a tech hub, California is attempting to keep legislation up to date with the technological developments, as the previous laws did not encompass a lot of issues that have arisen with the introduction of several new technologies.
A good example of this are smart devices that track health information on the individual or devices that track geolocation. How is this data being used, and how is the consumer supposed to know this? Perhaps their health or performance information is being resold to another company which may probably later offer them vitamin supplements, or a weight loss program. CCPA will then ensure fair treatment of consumer’s personal information.
The Cambridge Analytica scandal has also been a great example of how people’s information was being misused without them having any knowledge of this, it also highlighted the need for regulation over company’s use of consumer’s data.
Personal information was misused because people had provided information online for a specific purpose, for example, socializing or purchasing products. That information was later used for a completely different purpose, such as feeding fake news that helped sway public opinion for the most recent presidential elections in the US.
The people involved in that scandal had likely never imagined that their information, such as habits, and interest would be used in such a manner. Thus, while in most cases, providing personal information to a business may not have a significant impact, consumer’s information being misused can have devastating results for individuals. For these reasons, CCPA introduces a few rights for consumers, which you can find in the next section.
Consumer rights under CCPA
CCPA introduces various rights for the consumers, and its counterparts in obligations for the businesses, that are meant to provide the consumers with sufficient information and the ability to decide whether their information is collected and/or sold, and thus potentially avoid their information from being used for other purposes.
The rights that consumers have under CCPA are the following:
- Their right to know whether their information is being sold or disclosed to other companies, and to whom specifically. So, if for example, a company shares the consumer’s information for marketing purposes with another company, this will have to be explained to these consumers.
- The right to say no to their personal information being sold by businesses. This is known under this law as the ‘right to opt-out.’ If any business is selling the information of consumers, they are obliged to provide consumers with an option to opt-out, and they cannot object or give any justification for doing so. Therefore, the consumer’s word is final.
- The right to access their information. As with GDPR, the consumers have the right to access the information that the business has on them. When receiving a request and verifying the identity of the person, the business has an obligation to provide them with all the information it has on that person from the last 12 months.
- The right to request the deletion from any information that a business has on them. While the right to opt-out has no derogations, there are a few exceptions to this right to deletion. Such as for example, when that information is necessary for legal reasons. Therefore, while the consumer may request the deletion of their information, it’s not always guaranteed that it will all be deleted, as some of that information might be necessary for the business.
- The right to equal service and price. According to this right, equal treatment, as well as pricing, have to be offered to consumers, independently of whether they exercised their privacy rights or not. Moreover, this right also means that consumers can request to access, delete their data or refuse the business from selling their data, whether they have purchased something or have an account with their site or not.
- Aside from the right to opt-out, there is also what is known as the right to opt-in, which has to do with the selling of information from minors under 16. The standard is that information from minors is not collected or sold, however, if they’re minors between 13 – 16 years they can decide themselves to opt-in to this option. If they’re under that age, it can be their parents who opt-in for them.
CCPA versus current laws
While CCPA was the initiative that has now been adopted on the matter of data privacy legislation for the State of California, there are many other laws that have been proposed or that are being discussed in different States of the US.
In fact, there are about fifteen laws currently being discussed in other states aside from California, while a few others have been turned down by their relevant states, as was the case with Washington. In most cases, there’s a balance to be struck between the individual’s right to privacy, public interest, as well as the interests of companies.
To keep up-to-date with the situation in each State, we recommend taking a look at this page from the International Association of Administrative Professionals (IAPP).
You might be wondering if there are any federal laws which apply to the area of data privacy, well while there are some bills which are meant for a specific industry or area, such as HIPAA is for the healthcare field, there is no federal law that deals with data privacy for consumers.
Nevertheless, discussions are being carried out to create a federal framework that can simplify and even out State laws. While there is no assurance that such a law will be passed, hearings have been carried out for this purpose, and legislation similar to CCPA, such as the New York Privacy Law could serve as an encouragement to continue this process.
There are existing frameworks that could be utilized for this purpose, such as the Federal Trade Commission Staff Report ‘Protecting Consumer Privacy in an Era of Rapid Change’ which, despite its longevity does provide for very thorough protection of the consumers’ rights. Nevertheless, it will be up to legislators to decide what their proposal will be based on.
Compatibility with other laws
An important question is what the compatibility between CCPA and other laws that relate to or have implications on data privacy is, such as the previously mentioned HIPAA, for example. Do these different regulations have different scopes of application, or is there a chance that they might overlap? And if they do, which has one has priority in case there are contradictions?
While at first glance the different regulations seem to be related to unconnected topics, like healthcare, financial information or driver’s privacy; there are instances in which more than one of them could be applicable, for example, if a private healthcare provider falls under the scopes of application, CCPA would, in theory, protect the consumers in a different manner.
Not to worry though, as CCPA is very clear in this topic, and introduces several exceptions in which CCPA will not apply. These are the following:
- California Financial Information Privacy Act
- Driver’s Privacy Protection Act
- Health Insurance Portability and Accountability Act (HIPAA)
- Confidentiality of Medical Information Act
- Health Information Technology for Economic and Clinical Health Act
- Gramm-Leach-Bliley Act
Therefore, if there is a conflict where CCPA and another of these Acts seem to both apply, the one from this list of exceptions (other than CCPA) will be the one to prevail.
What does the future look like for privacy laws in the US?
As mentioned above, while various states are trying to pass legislation on the subject of data protection to regulate the obligations of companies, as well as the rights of individuals, some of these attempts have been so far fruitless. CCPA has been, to this point, the most significant legislation in this regard that has been accepted and, because of its implications due to companies like Google and Facebook being located in California, it promises to be a game changer.
However, a federal law, or guidelines to frame all these different laws would be highly necessary to have a more homogeneous application within the US. If there is a framework at the federal level, then the state laws won’t need to be as complicated as they currently are. Having said framework as a starting point, would go a long way to making the process a lot faster and seamless.
Possible updates to CCPA
While CCPA has already been approved and should start running by January 2020, the fact is that there are still a few points within this legislation that are proving contentious, and that are still being debated. For this reason, it may be possible that individual sections of CCPA are left aside or modified, which is why it is essential for businesses to stay up to date with relevant updates.
The same will happen if legislation in the topic of privacy is introduced at a federal level; if the thresholds introduced by this potential law are lower or the matters left to the states are different than those provisions set out by CCPA, there will be a need for a change in this law.
What is 5CA doing about CCPA?
Just as we have done for GDPR, we have been preparing for months to be ready once CCPA starts rolling. From creating to optimizing our flows and processes to updating privacy policies, to providing our clients with advice and different options for them to be CCPA compliant. You can read more about it on our Data Privacy and Security page.
Most of 5CA’s clients have dealings in the US, so we are prepared to provide them with advice and guidance, as well as tailored solutions for them to be CCPA compliant. Whether it is their privacy policies, a phone line for CCPA requests, or any other type of guidance, we are ready to start your road to compliance!
Steps towards compliance – The CCPA readiness checklist
If you are still feeling unsure of what to do next regarding CCPA, I recommend you follow this readiness checklist I have prepared for you.
- Determine whether CCPA applies to you. Don’t know how? Take a look at the CCPA scopes of application. Establish whether you are a business and whether you fall under any of the exceptions, then take a look at the location and whether you have consumers in California, and finally the deadline you have to be ready.
- Once you’ve determined that CCPA applies to your business, make sure you familiarize yourself with the concepts within this law, like what personal information is, for example. We’ve explained a lot of those in this article.
- If you have a Compliance system for GDPR, go over the process and figure out how you can optimize this for CCPA. You can likely make a few tweaks and additions to them, without having to start from zero. If you are GDPR ready, you’ll be on your way to being CCPA ready!
- Review your procedures for dealing with consumers and see what needs to be improved for CCPA. For example, creating different ways for your consumers to make any data related requests (you need to provide the consumers with at least two channels to do this), such as by phone, email or directly on your website.
- If you are selling customer’s data, make sure you introduce a clear banner or notice through which consumers can opt-out from this. This notice needs to be a clear and conspicuous link on the website and must be titled ‘Do Not Sell My Personal Information.’
- Ensure that any contracts you have with your vendors explicitly state that they cannot use the data transferred to them for any other purposes than provided and that they are not allowed to resell that data.
- Make sure to create company awareness and to train your employees about CCPA and how to deal with any request. The more awareness you create, the easier it will be to ensure CCPA compliance!
- Finally, keep up to date with new developments, and always renew your procedures, documents, and trainings where necessary. As mentioned previously, some sections might be reviewed, so it is possible that some of these points change. Therefore, being prepared and up to date is with CCPA is essential.
Do you have any more questions regarding CCPA or how it will impact your business? Get in touch, and one of our experts will help you on your road to compliance.
You might also like: