Personal data is collected from us all the time. eCommerce sites store our purchasing habits info to push products we’re most likely to buy. Healthcare organizations collect everything from our vital signs to our treatment histories so that practically any physician in any facility can know critical details about our health, such as drug allergies. And courier services store our location data to provide directions via the fastest routes.
More often than not, we’re happy to provide our information to companies that will use it to serve us better. However, knowledge is power, and power can be abused.
California’s response to the threats to privacy
Because privacy breaches can deeply affect individuals and society as a whole, California has passed the Consumer Privacy Act of 2018 (CCPA), which will be implemented in January 2020.
The CCPA grants California consumers five basic rights when it comes to their personal information:
- The right to know what personal information a business has collected from them, where it was collected, and what it is being used for;
- The right to know whether their personal information is sold or disclosed and to whom;
- The right to disallow a business from selling their personal information at any time, even if they’ve previously given their consent;
- The right to have a business expunge their personal information, except in certain cases, such as when a company still needs it to conduct business relations with the consumer; and
- The right to equal service and pricing, regardless if they exercise their privacy rights under CCPA or not.
What is personal information?
The Act defines it as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This type of information can range from recent purchases to internet browsing histories to “probabilistic identifiers” such as tracking information. As of this writing, information kept by government agencies are excluded from this definition for as long as the data was legally sourced and is used solely for the purpose for which it was obtained. This omission may be changed, as the California government is looking to apply similar controls for its agencies.
Will my business have to comply with the CCPA?
If yours is a for-profit firm that does business in California and stores and controls the personal information of California residents, then yes — but only if it meets one or more of the following criteria:
- Your company earns over $25 million;
- It discloses or obtains the personal information of at least 50,000 California residents, devices (such as smart refrigerators), or households on an annual basis; or
- It earns at least 50% of its annual income from selling the personal information of California residents.
Note that the CCPA does not apply to the collection of personal information if it was for commercial conduct taking place completely outside of California. That is:
- Your firm collected personal information of a California resident, but only while that consumer was outside California;
- No part of the sale of any California resident’s information ever occurred in California; and
- The information obtained from a consumer outside of California is kept separate from that obtained within California, and the latter type was never sold.
What does all this mean for my business?
By January 2020, your business must provide disclosures and notices to customers via the terms and conditions of your website and other means. You’ll need to inform California consumers that you’re collecting their information at or before the point of collection. You’ll have to disclose the categories of info you’ll collect, and what you’ll use it for. Also, you must inform your customers about their rights, such as their right to opt out of the sale of their personal information.
The CCPA has a particular requirement for this: Your homepage for the general public — or the California-specific homepage where California consumers are directed to — must have a clearly visible link to a webpage titled “Do Not Sell My Personal Information.” This webpage will enable consumers to opt out of the sale of their personal information. Once a person opts out, the Act requires your company to “respect the consumer’s decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”
The law imposes fines for violations. To date, companies are given 30 days to address any alleged CCPA violation, and those who fail to resolve that violation may incur up to $7,500 in civil penalties per violation. This might not sound like a lot, but violations are counted per consumer per incident, which means that noncompliance involving even just a hundred customers would cost three-quarters of a million dollars in damages.
You only have 2019 to update your customer relations and operations processes. This may mean additional personnel such as compliance officers and/or IT specialists. This is important, especially when you consider that the Act may refer to familiar things found in other laws, but may apply different standards for them. For instance, standards for “de-identified data” under HIPAA (Health Insurance Portability and Accountability Act) are different from those under the CCPA.
Alternatively, you can have a reputable managed services provider such as USWired help you with all of your regulatory compliance needs.
As privacy is becoming a greater concern among consumers, expect more regulations to come. Contact us — we have the expertise you need to safeguard the privacy of your customers.