There’s a Polish idiom that translates as, “Not my circus; not my monkey.” As in, not my predicament; not my problem.
Prior to the enactment of the GDPR, many U.S. companies probably figured the E.U.’s new data privacy regulation wasn’t their circus. A lot of them found out differently. And if the GRPR wasn’t their wake-up call, then the California Consumer Protection Act (CCPA) certainly should be.
Why? There’s the fact, of course, that California is the world’s fifth-biggest economy, so any company out to conduct business there has to be compliant with the CCPA. But there’s also the fact it’s only the first of new data privacy laws being considered or already in place in over a dozen other U.S. states, evidence of the public’s growing demand for data privacy protection.
What’s also significant about the CCPA is its potential impact on businesses outside of California. As with the GDPR, not having a physical footprint in that market doesn’t mean you can neglect compliance.
Who does it affect?
For-profit companies meeting at least one of the following criteria should take note:
• Companies with an annual gross revenue of $25 million or more.
• Companies that buy, use, sell or share personal information belonging to at least 50,000 consumers, households or devices in California.
• Companies that earn at least half their annual revenue from selling consumers’ personal information.
You’re also exposed if you’re a B2B firm that doesn’t collect what you might consider “personal” data, but you do capture names, business phone numbers or email addresses. In the eyes of the CCPA, your business contacts are still “consumers.”
The Complexities Of CCPA Protections
As I said above, even if you’re not based in California, you’re still subject to the CCPA if you hold, collect, share or sell the personal information (PI) of any state resident. Here’s the twist: The CCPA considers residents to be under its umbrella even when they’re outside the state. So you can imagine the identification, tracking and data management complexities that alone presents.
Like the GDPR, the CCPA includes a “right to be forgotten” for consumers, but the CCPA’s interpretation creates even more work for data and compliance managers.
There can be an exception to this right if a consumer requests you delete PI, but you need it to complete your business with that person. Other exceptions include:
• Hanging on to their information to mail them a product they’ve paid for.
• Keeping track of their purchase history for tech support purposes.
• Holding data because of a legal obligation to do so.
Another wrinkle? A consumer can permit you to keep but not share or sell their data, adding another complication to managing data cleanly under the CCPA.
Will noncompliance hurt?
Like California’s real estate, CCPA noncompliance gets expensive fast. Failing to delete a PI record when asked, selling it without permission or allowing it to leak means a minimum fine of $2,500 per record. This escalates the longer you take to fix an issue. And if a data breach was caused by a known issue you ignored? The fine goes to $7,500 per record.
Multiply that by the number of PI records that might be part of a breach or mistake. The FTC recently settled with Facebook for $5 billion related to data privacy breaches, including Cambridge Analytica. Earlier, Facebook released a document showing 6,787,507 Californians might have had PI improperly shared. Under the CCPA, Facebook could have been fined a minimum of almost $17 billion for its mistakes.
Most companies aren’t Facebook. But the lesson is clear: Compliance with the CCPA is going to be central to doing business with Californians. Data privacy compliance is becoming everybody’s circus, everywhere — and its monkeys can cause disaster for your enterprise.