A long-awaited consumer privacy law goes into effect in January, with broad implications for companies doing business across the United States.
The California Consumer Privacy Act was passed by the California State Legislature back in 2018, but lawmakers delayed its implementation until this coming Jan. 1.
While the law targets companies doing business in the state, it casts a wide net. It covers companies doing business in California with annual revenues of $25 million or more and those handling the personal information of at least 50,000 California consumers, households, or devices. Businesses that earn at least half of their annual revenues from selling California consumers’ personal information are also subject to the law.
The rules cover business interactions with vendors and other third parties, notes c, a founding partner at Sauer & Wagner and veteran civil trial attorney specializing in business, employment, and intellectual property law.
“Companies need to start right now getting a handle on how they obtain personal information, the types of personal information they collect and share, the purposes for which they use it, the parties with which they share it and why, their methods for retaining and securing it, and their current data disposal practices,” he said. “They should immediately begin identifying all the vendors and other third parties with which they share personal information and review their contracts with those parties for compliance with the law.”
With the law’s broad definitions of what companies are affected — some California households may have more than a dozen electronic devices containing personal information, for example — many privacy and legal experts say the rules will become the de facto national privacy standard.
The law is similar in some ways to the European Union’s controversial General Data Protection Regulation (GDPR). It requires covered businesses to disclose the personal information they collect, sell, and share. Businesses must, at the point they start collecting personal data, tell consumers what information they will collect and how they will use it.
The law also requires businesses to delete personal information when a customer requests, and it mandates that they notify customers when they sell personal data. Consumers can opt out of the sale of their personal data, with businesses required to provide a prominent opt-out notification. Covered companies must also delete a customer’s personal data upon request.
Penalties are $2,500 per unintentional violation or $7,500 per intentional violation. But given that some businesses handle hundreds of thousands or millions of customer records, those penalties could add up quickly.
The law permits private lawsuits against businesses hit with data breaches if the breach is due to poor security practices and allows for recovery of up to $750 per customer or actual damages, whichever is greater.
While many of the CCPA’s requirements won’t be a heavy lift for companies complying with the GDPR, the new law may require some businesses to reform their data-handling practices, privacy experts said.
California will require companies to identify what personal data they hold and tell customers where and why it’s stored within 45 days of a request being filed, noted Mark Sangster, vice president and industry security strategist at eSentire, a cybersecurity firm.
“Organizations that aren’t prepared with mechanisms and resources in place to intake and process inquiries will find themselves flatfooted, especially if a large volume of customers or an activist group leverages the request mechanism,” he said.
A lot of companies don’t track their data as stringently as the law requires, he said. Covered businesses will need to “fully map all of the information they collect and where the information goes, including across their supply chain, with a justified purpose,” he added. “And for many, they’ll find that certain departments have no understanding of the implications that arise from the information they regularly gather, and they’ll be challenged by a limited line of sight into the movement of their data across third parties.”
It may be challenging for some companies to create a comprehensive map of the data they hold, added Kristina Bergman, CEO of Integris Software, a data protection vendor. Some firms will find it difficult to discover “all the places where personal information has been propagated to in the last few decades,” she said.
And, it may be tough to keep the data inventory up to date given constant changes to the data, she said.
