Data breaches have come to seem almost run-of-the-mill to modern consumers. Large-scale breaches were recently experienced by Equifax and Capital One, leaving over 100 million consumers affected in the US alone. Affected consumers have some recourse thanks to a global settlement, but for many, that’s not enough to make them feel secure. Today, consumers just tend to expect that their personal information will be compromised at some point. And not without reason: the Privacy Rights Clearinghouse suggests that more than 10 billion records have been compromised in well over 9,000 breaches since 2005.
In some parts of the country, however, legislators are taking action to protect consumers from the many privacy hazards associated with the internet. Arguably the most notable consumer privacy-based legislative effort in the United States is the California Consumer Privacy Act.
Experts believe that similar laws will follow in several states and that a federal effort may be coming sooner than most people realize. Given the accelerating pace of legislative change, it’s worth examining the CCPA and its myriad implications for the future of consumer privacy.
What Is the California Consumer Privacy Act of 2018?
Passed into law by Governor Jerry Brown in June 2018, the California Consumer Privacy Act (CCPA) aims to enhance consumer protection and privacy rights for the residents of California. The new legislation will officially take effect in January 2020.
CCPA establishes several rights held by private consumers residing in California. These include the rights to:
- Know the extent to which their data is collected and whether that data is ultimately sold
- Access personal data collected by any entities covered by the legislation
- Refuse the sale of personal data
- Request the deletion of any collected personal information about the consumer in question
- Avoid discrimination or retaliation for exercising privacy rights established under CCPA
In addition to outlining consumer rights, CCPA also highlights several key responsibilities that businesses must uphold. CCPA compliance requirements include:
- Implementing processes for securing parental consent before collecting information from users under the age of 13, as well as affirmative consent for users between the ages of 13 and 16
- Designating toll-free phone numbers and other options for procuring data access
- Including links on website home pages leading to pages outlining the “Right to Say No to Sale of Personal Information”
- Updating privacy policies to include information regarding California residents’ privacy rights
- Avoiding requests for consent to opt-in for at least twelve months after consumers have opted out
Which Businesses Are Impacted by CCPA?
CCPA will affect a variety of businesses based in California, but its reach extends the state’s borders too. Enterprises simply doing business in the state of California or collecting information from California residents will also be required to comply with the new legislation, assuming they meet the following thresholds:
- Possess personal information from at least 50,000 devices, consumers, or households
- Exceed $25 million in annual gross revenues
- Earn at least half of said annual revenue by selling consumers’ private information
It doesn’t matter if the businesses that meet these thresholds lack a physical presence in the state of California. They don’t even have to be organized under California law. Simply collecting or selling the information of California residents is enough to necessitate compliance. For this reason, CCPA may impact hundreds of thousands of United States enterprises, including several small to midsize businesses.
CCPA promises to transform the way businesses collect and utilize personal data, as well as the way consumers handle their information online. By understanding your rights as a consumer—and the requirements placed on the companies you do business with—you can keep your information safe and minimize the risk of having your data accessed or sold improperly.