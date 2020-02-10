It’s here, it’s in force, and if you’re doing business in California, it should be on your radar. It’s the California Consumer Privacy Act (CCPA), and it’s the most ambitious piece of privacy legislation in US history. It marks a new dawn for the privacy rights of consumers in California. If you haven’t already prepared for it, then you’re extremely late, and your business is potentially vulnerable.

Passed on June 2018 within a week of its introduction, it is also among the fastest. It came into effect on January 1, and if your company does business with anyone in California, then it affects you. If you have not taken steps to comply with it, there is no time to lose.

The law introduced a swathe of new measures that hold companies accountable for their use of citizens’ personal data and put them on a similar track to those dealing with Europeans under the General Data Protection Regulation (GDPR). Companies are subject to the legislation if they collect a consumer’s personally identifiable information (PII), if they do business in California, and if they fit one of the following conditions: make more than $25m per year, commercially process PII from at least 50,000 consumers, households or devices, or derive more than 50% of their revenue from selling consumers’ personal information.

The penalties for data breaches under the Act are daunting. A company could pay up to $750 per incident to each consumer ($750,000 for the theft of a 1000-consumer database), or actual damages, whichever is the greater. The State can also fine them up to $7500 per consumer for each intentional violation. Given the size of some breaches these days, that represents a massive potential penalty.

One of the biggest misconceptions among US companies outside California is similar to one that also led US businesses astray in the run up to GDPR, warns Corey Nachreiner, CTO of application firewall company WatchGuard: companies are wrong to think that they are not affected if they are based outside California.

“Most businesses in the US that are cross-state will be affected by this,” he warns. That includes businesses selling online.

The Effects on Business

Those companies that have already grappled with GDPR will find the California requirements “more of an evolution,” explains Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).

Those companies that are operating only in the US and haven’t yet built out a strong privacy program are the ones that will have a lot of work ahead of them, she adds.

Part of that is down to what Fennessy describes as a broad definition of personal data under the CCPA when it comes to the legislation’s data breach provisions. It includes anything that could be directly or indirectly linked to a consumer or household. That could include an alias or other online identifier, cookies, a device identifier, pixel tags, customer number and even information linked to a household. It also includes things not generally listed under US data privacy legislation, like purchasing histories, internet activity including browsing patterns and inferences drawn about consumers using their data. As such, it goes even further than the GDPR in its definition of personal data.

The law offers consumers several private rights of action, including the right to find out what information a company holds about them and into which categories it falls, which categories they sold and to whom, and where that data came from. Businesses must provide that information in a portable format, and they must honor requests to delete it.

Fennessy also points to the need to provide a button on a home page and on all pages collecting information that enables the visitor to opt out of having their information sold to third parties. The definition of ‘selling’ is also pretty broad, she explains.

“It depends on whether the entity with which you’re sharing data is processing the personal data for the original entity’s business purpose on behalf, and under the instructions, of the original business, and that relationship has to be governed by a contract,” she explains. That will affect a wide variety of companies, including those in the adtech space, she says.