CCPA Data Privacy

The California Consumer Privacy Act of 2018 (CCPA) into effect. This new consumer privacy law comes post Europe’s General Data Protection Regulation (GDPR) and, for some, is seen as a smaller version – without the option to opt-out of data collection all-together that the GDPR has.

CCPA is a consumer privacy law that will be coming into effect on January 1, 2020. The bill – which is aggressive for American privacy policy standards – will put guidelines on personal information collection and post-data-acquisition data usage by businesses.

Come 2020, the California Consumer Privacy Act (“CCPA”) may significantly impact businesses’ data practices, with new and burdensome compliance obligations such as “sale” opt-out requirements and, in certain circumstances, restrictions on tiered pricing and service levels. The breadth of personal information covered by the CCPA, going beyond what is typically covered by U.S. privacy laws, will complicate compliance and business operations.

Who need to comply with CCPA

Companies, especially those outside of California, may wonder whether they are subject to the CCPA. CCPA applies to for-profit entities that (1) have greater than $25 million in gross annual revenues; (2) annually handle personal information of 50,000 or more consumers, households, or devices; or (3) derive 50% or more of annual revenue from selling personal information. These criteria will result in a wide swath of businesses being subject to the CCPA. For example, a website might only need 137 unique visitors from California per day to reach the threshold of 50,000 consumers. That website’s collection of data through cookies may be captured by the CCPA’s broad definition of personal information. And given the third criterion focused on revenue percentage, even very small businesses that regularly exchange data, for example in the online ecosystem, might be captured if their activities are deemed to be a “sale” under the CCPA.

CCPA PRIVACY OVERSIGHT

The CCPA will impose substantial compliance obligations on all businesses that handle personal information of California consumers. Such obligations may pose particular challenges for the ever increasing array of businesses that leverage consumer data for analytics, profiling, advertising, and other monetization activities, particularly as the compliance requirements are not easily gleaned from the statutory language. Addressing these challenges will require creative, thoughtful approaches and may potentially involve industry-wide coordination to develop and advance practical solutions.

CyberSecOp CCPA privacy consultants incorporates your CCPA compliance requirements, powered by a unique combination of deep privacy expertise developed over two decades, proven methodologies refined through tens of thousands of engagements, and powerful technology operating at scale for 20 years.