Get Ready for America’s GDPR: CCPA
Over the course of the last few years, the level of complexity behind data protection has been matched only by how necessary it has become.
With the passing of the GDPR in 2018, Europe paved the way for regulation and compelled companies to focus on customer trust, an essential element of a sustainable business model. This is paramount, as businesses have started basing high-level decisions on consumer data.
With regulation comes the emergence of new opportunities. The same logic that brought on GDPR will be stateside on January 1, 2020, when the California Consumer Privacy Act (CCPA) is put into effect. This legislation will allow California residents more control over their personal data. The objective is simple: provide better consumer protections and enhance the respect of privacy by improving transparency regarding the way companies are using their users’ data.
Servicing California Consumers with Law
CCPA, which was signed in June of 2018, enacts some of the most stringent consumer data privacy protections in the United States. While still a few months from officially being put into effect, the US is slowly strengthening the rights of its citizens.
And while it is specific to consumers in California, any company that does business or collects personal data — directly or through third parties — in the state must adhere to its restrictions.
The definition of personal data within CCPA is quite broad, including all information that identifies, concerns, describes, or can be associated — directly or indirectly — with a particular consumer or household.
This definition covers what is generally considered to be “personal data,” such as names, addresses, social security numbers, and telephone numbers, but it also includes all information that can be linked to a California consumer. This type of information includes IP address of a terminal, location, actions taken within an application, purchase history, or user identification.
How Will Consumers Be Protected?
The goal of this regulation is to allow California consumers to better exercise control over their personal information and security by becoming owners of their own data.
The regulation explicitly protects the personal information of California consumers ages 13 to 16, clearly stating that companies are prohibited from selling users’ personal information without their consent. CCPA also prohibits companies to collect personal information from California minors under the age of 13 without the explicit consent of their parents or guardian.
CCPA also aims to force companies to make the type of personal data they collect public and inform users that their data will be shared or sold to third parties, allowing them the opportunity to opt out.
The new law provides actionable rights for California citizens, allowing every citizen to know what personal information is collected from them, request access to it, and demand its deletion. Citizens will have the right to prohibit the sale of their personal data and can legitimately ask to know with whom it is being shared with and to whom it is sold.
Finally, the application of CCPA must not lead to discrimination; thus, a user exercising their right to confidentiality must be allowed to continue their service at the same quality and at the same price.
It should be noted that cybersecurity is also one of the concerns of California law. Companies must ensure security over the personal data they store. If a company is a victim of personal data theft as a result of hacking, then its responsibility will be at risk.
To Give Back to Caesar What is Caesar’s
Even if CCPA only authorizes sanctions if a violation has been found, each Californian citizen is authorized to take civil action against any company that violates the law, thus opening the door to collective action. If a company’s practices are not in compliance with the new Californian provisions, the state may directly initiate proceedings against it and fine the company $7,500 per data disclosed if the company does not remedy the situation within 30 days. However, if the violation is found to be unintentional, then this fine is reduced to $2,500.
Finally, regarding possible data leaks, the law provides civil compensation ranging from $100 to $175 per California resident whose data was obtained, even in the absence of material damage.
CCPA is certainly only the beginning of a more global awareness in the United States, protecting its citizens’ data against abuses from companies or organizations. This is a first step that could lead other states to introduce similar regulations.
In addition, federal legislation could emerge in the medium term. On September 10, 2019, a group of 51 CEOs from US companies sent an open letter to Congress calling for the implementation of a law regulating the collection, processing, and use of personal data at a national level.
Some of these companies are technology giants such as Amazon, AT&T, IBM, Motorola, and Qualcomm. They think that privacy laws vary too widely from state to state, causing both confusion among consumers and a threat to the United States’ competitiveness.
Through this approach, their desire is to promote and provide a stable and legal environment at the federal level to create products and solutions where economic actors and users can find a consensus on the use of personal data.
Jean-Noël Barneron is Chief Innovation Officer at HEROW.