You may have heard of the EU’s GDPR (General Data Protection Regulation), but what about the CCPA? That stands for the California Consumer Privacy Act and it’s something every company, despite its size or where it does business, needs to know about.
The CCPA was a bill passed by the state of California legislature, signed into law on June 28, 2018, goes into effect January 1, 2020, and enforcement will begin in July 2020. Similar to the GDPR in the EU, the CCPA grants nearly 40 million California consumers “new rights with respect to the collection of their personal information.” Great for consumers, a little confusing and concerning for businesses who aren’t sure if they’re required to comply.
First, here are just some of the rights the CCPA grants consumers:
Does this mean that every business that has a customer in California has to comply with the CCPA? Not exactly. Businesses are required to comply if they meet just one of the following preconditions:
As long as your business doesn’t check any of the above boxes, you’re off the hook - at least for now. But the question put forth by these proactive governments isn’t what is required to be compliant but what is the responsibility of businesses to its consumers? Good business practices dictate that companies should be seeking "compliance and beyond" by doing more than just the minimum.
We are all consumers. Every one of us has personal information floating out there that we probably would rather be safely protected. It’s a bit unnerving to wonder if our data is being abused, but without many laws in place, we just have to hope it won’t get into the wrong hands. Millions of people aren’t as optimistic. They’ve already been victims of data breaches. For them, it’s too late.
Take, for instance, the Capital One data breach earlier this year where 100 million customers were told their personal data is now compromised. When they filled out forms, created their usernames and passwords, input their data, and searched their site, they had no idea what the bank was doing with all of that data. They didn’t ask and the bank didn’t tell.
Then, there’s the Facebook breach. More than 540 million pieces of users’ personal information was publicly exposed. Just think about what people put on Facebook. Some share more than others, but few realize just how much data Facebook is constantly collecting and sharing about them. They don’t ask. Facebook doesn’t tell.
But it’s not just Facebook that has this data. They allow third-party businesses to have access to your data. Who knows what their privacy policies are, if they even have them. Yet, even as we hear of these breaches, we continue to put our data out there and everywhere, hoping the organizations with whom we do business will somehow safeguard our data. Laws like the CCPA and the GDPR aim to force them and all businesses to do the right thing by their consumers. The regulations may seem like a pain for businesses, but as consumers ourselves, isn’t it the best thing for all of us?
California may be the first U.S. state to put forth such strict consumer privacy rights, but all indications point to more states following suit. If California sets the precedent, here are some of the CCPA regulations that other states are likely to require businesses to comply with in the future:
The clock is ticking. Now is the perfect time to put a plan into place to not only comply with the CCPA and the GDPR, but also to comply with the inevitable privacy laws that will follow. The good news is, once these practices are established, compliance should be much easier, even automatic.
For instance, businesses can place a website cookie consent pop-up box on their website that informs visitors that they use cookies and give them the ability to opt in or opt out. Using a commercial consent management platform, it’s easy to customize the appearance and the language so it’s applicable to the visitor’s geographical location. In this way, no matter which state the visitor resides in, the cookie consent will comply with their state regulations.
Further, tools exist to help businesses streamline their privacy policies and even grade them with a score. These scores can be a great way to advertise how your business puts its money where its mouth is when it comes to protecting consumers’ rights to privacy. The higher the score, the more responsible and proactive the company. Visitors can rest assured they are doing business with a company that meets or exceeds the CCPA, the GDPR, or any state or federal data privacy regulation.
As these privacy standards become more familiar and as more states jump on board, the companies that lead their industry in compliance will have a competitive advantage. Consumers will be able to compare businesses and choose which ones value their rights to privacy and which ones lag behind. As consumers ourselves, which companies would you want to do business with, even if it meant paying a little more? What is your personal data privacy worth? The tolerance for breaches and non-transparency will likely decrease over time.
Businesses who fail to comply will face more than penalties; they risk losing valuable market share they may never recover and they risk losing consumer trust. Rememer, CCPA is just one of many data privacy laws. Good privacy programs abide by and even exceed the requirements of many laws.
Read the definitive guide: California Consumer Privacy Act Guide: Everything You Need to Know