In 2018, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA), also known as AB 375. The new law, which takes effect January 2020, follows on the heels of GDPR and will be the strictest data privacy law in the United States.
The legislation had made its way quickly to the State Assembly and the Senate, and was passed by both without any opposition. Lawmakers were under pressure to pass the bill in order to avoid an even more aggressive initiative, sponsored by Californians for Data Privacy, that threatened to make the November ballot.
Although the law recognizes California as one of the world’s leaders in the development of new technology, it specifically notes that the “proliferation of personal information has limited Californians’ ability to properly protect and safeguard their privacy,” and cites the significant role that technology and data now plays in every day life:
“It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information.”
As such, the new law is a significant attempt to empower California residents with increased rights and greater transparency around how organizations collect, use, and manage their personal information.
With the countdown for the law to take effect in just over a year, companies are scrambling to get their processes and policies in order. Here are 4 things you need to consider to prepare for the January 1, 2020 deadline.
Will AB 375 Impact Your Business?
It is estimated the law will apply to more than half a million U.S. companies, with the vast majority being small to mid-size businesses.
Companies worldwide will need to comply with AB 375 if they collect, use, or disclose personal information from a California resident, and they meet any one of the following:
- Have an annual gross revenue of $25 million or more; OR
- Buy, sell, or share personal information of at least 50,000 consumers, households or devices; OR
- Derive 50% of annual revenue from selling consumers’ personal information.
The law also applies to affiliated, co-branded entities if they meet the above criteria, even if the affiliate does not do business in California.
Another key component is that the personal information does not need to contain a name. It can include non-identifying data like IP addresses, web browsing history, or buyer behavior.
How Will the Law Increase Transparency on Data Collection & Management?
The law specifically points to the Facebook’s recent Cambridge Analytica scandal as a reason for consumers to have clearer visibility into data collection:
“In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica…As a result, our desire for privacy controls and transparency in data practices is heightened.”
AB 375 will now require companies to provide clear information to consumers at the point of collection about:
- Categories and specific pieces of personal data collected
- Categories of sources from which the data was collected
- The business purpose for collecting or selling the data and how it will be used
- To whom the data will be disclosed
What Rights Will Be Given to California Residents?
In addition to consumers having the right to know what personal information is being collected on them, AB 375 provides California residents:
- The right to know if their personal data is being sold or disclosed.
- The right to say no to the sale of their personal information.
- The right to access the information collected.
- The right to equal service and price if they exercise their privacy rights.
- The right to request the business delete any personal information collected.
- The right to opt out of having their information sold to a third party.
How Should You Prepare?
It’s clear with GDPR and the California Privacy Act, that every company will soon be required to comply with stricter regulations that empower consumer rights to data privacy.
Now is the time to get company policies and procedures compliant with key checklist items:
- Develop or refine your data-mapping that outlines how data is being collected, stored and properly disposed of.
- Review contracts with outside parties to ensure they are adhering to the latest regulations.
- Assess your pricing structure. Under AB 375, business are prohibited from discriminating or charging consumers a different price or rate, or providing a different level of quality goods or services, if they exercise their privacy rights.
- Review where and how you communicate your data collection policies to consumers. Ensure policies are clearly visible at the time data is collected, such as on your website or within your contact forms.
- Outline your process for responding to a consumer if he/she requests the information your company has collected.
- Work with trusted partners to ensure compliance. Adhering to the latest regulations can be overwhelming for any business, and the risk of a violation could put your business in jeopardy. It is important to work with trusted industry partners who can help protect your company and stay ahead of regulatory standards.