Golden Gate Bridge covered in fog
PHOTO: Todd Diemer

One year after the EU’s General Data Protection Regulation (GDPR) went into effect, we continue to hear about the challenges of complying with this demanding data privacy legislation. Google was hit with a $57 million fine earlier this year for not properly disclosing to users how data is collected across its services, while Facebook faces several investigations by European authorities. Officials from Ireland and the UK, meanwhile, are poised to announce several new GDPR enforcement actions. 

Not to be outdone, the US seems ready to match the intensity of EU’s GDPR enforcement actions with data privacy legislation of its own. On Jan. 1, 2020, the California Consumer Privacy Act (CCPA) will go into effect, marking America’s first-ever state data privacy law — and its most far-reaching privacy regulation yet. The new rules set the stage for a fundamental shift in how companies with US-based customers do business and interact with their customer data.

What do organizations need to know as they prepare for CCPA? To start, it helps to understand how the requirements compare with GDPR. 

GDPR vs. CCPA

Like GDPR, the CCPA will have significant global impact, especially because California boasts the world’s fifth-largest economy and is home to many technology titans. The territorial scope of the both laws extends well beyond the physical borders of their respective jurisdictions. The CCPA applies to certain controllers that “do business in the State of California,” regardless of where they are located. In other words, any company that does business in California, or has customers that reside in California, must comply with CCPA. 

The two laws also strive to guarantee individuals much greater control over their data. The CCPA gives Californians the right to:

  • Demand companies disclose how their personal data is being collected and used.
  • Access personal information that is collected, and request it be deleted.
  • Find out whether their personal information is being shared, and if so, with whom.
  • Opt-out of the sale of their personal information.
  • Have equal service and price, whether or not they choose to exercise their privacy rights.

Both CCPA and GDPR also expand the definition of what type of data companies must protect and account for. The CCPA, for example, defines personal data as information that “identifies, relates to, describes, or is capable of being associated with a particular consumer or household.” That includes IP addresses, geolocation data, biometric data and other unique identifiers such as cookies and device IDs.

Finally, CCPA includes GDPR-like fines for violations. California consumers are empowered to bring a civil action lawsuit against companies that do not abide by the law. The state can also bring these charges to a company directly — imposing a $7,500 fine for any violation not addressed within 30 days.

Related Article: California's Data Privacy Law: Taking a Page From the GDPR Playbook

Taking CCPA Head On

Understanding the California privacy act is one thing; determining its applicability is another. You should plan on CCPA compliance if your organization collects California residents’ personal information and at least one of the following thresholds applies:  

  • Earns more than $25,000,000 a year in revenue.
  • Annually buys, receives, sells or shares personal information of 50,000 or more consumers, households or devices.
  • Derives at least 50% of its yearly revenue from selling personal consumer data.

Security will likely dominate most companies’ focus leading up to CCPA’s “go live” date — beefing up firewalls, ensuring the right people have access to the information, etc. That’s a critical puzzle piece, but ultimately businesses need a multi-tiered, multi-pronged approach for addressing the requirements. How ready for CCPA is your organization? Following are three signs you could be at risk for fines. 

1. You don’t know where personal data resides

It can be difficult for organizations to know where to start with CCPA compliance. The best first step is to conduct an audit to identify where personal data resides within all of your organization’s systems and data repositories. The goal is to establish effective procedures so you reliably know where this data is and who has access to it.

2. You think CCPA is just another data management challenge

Most organizations store personal data in multiple repositories and systems, but lack an easy and straightforward way to search, access, and secure information across multiple applications. That’s fundamentally problematic in terms of quickly and easily locating, managing and securing consumer data. It’s even more concerning in a critical area of CCPA compliance: your customers’ access rights to the information you hold about them. When consumers make a data access request, companies will have a deadline to collate all of their data and deliver this information to that individual. Answering these requests is going to be very difficult if the information systems within an organization is not connected in a coherent and manageable way.

3. You expect a silver bullet solution

There will be a variety of vendors offering tools that promise “CCPA compliance,” but such claims can be misleading. For one thing, CCPA is not something you “solve” — it’s a series of best practices and processes to manage personal information better. Moreover, no single solution caters to all aspects of the law. 

Related Article: What Is the California Consumer Privacy Act of 2018 and How Does it Affect Marketers

More Privacy Legislation on the Horizon

California is not alone in passing strict privacy legislation. More than 20 states have internet-related privacy laws about the use of government websites, children’s data, email monitoring and access, or false and misleading privacy policies. It also appears action at the federal level — given the high-profile security breaches of late including Facebook and Cambridge Analytica, Equifax, the Democratic National Committee (DNC), Marriott and many others — to further strengthen personal data privacy might be forthcoming.

It seems likely that, one way or another, a US version of the GDPR is imminent. Taking action in advance of implementation is your best move, especially if consumers continue to get CCPA-like authority to go back to Jan. 1, 2019 to make requests. That means companies can’t afford to wait to start accounting for how they collect and use customer data. You need to develop a strategy and start implementing tools to achieve compliance. The future of your company and its reputation might depend on it.