feature

With the California Consumer Privacy Act (CCPA) scheduled to begin enforcement on January 1, 2020, the privacy revolution kicked off by GDPR has come home to roost for American companies. So what does it mean for your brand?

In 2018, the enforcement of the European General Data Protection Regulation (GDPR) reshaped the data privacy landscape for businesses across Europe and worldwide—and has made consumer data privacy and security an essential topic for anyone who cares about customer engagement.

With the California Consumer Privacy Act (CCPA) scheduled to begin enforcement on January 1, 2020, the privacy revolution kicked off by GDPR has come home to roost for American companies. This new legislation is a big topic, and it can be scary for brands—especially ones that haven’t begun the work to become compliant. While Braze can’t provide legal advice to our customers or to anyone else, we can walk you through some of the main things you need to think about when it comes to CCPA and data privacy in general. Read on to get up to speed:

The Basics

What is CCPA?

CCPA stands for the California Consumer Privacy Act, originally passed by the state government of California in June 2018. The law creates new privacy and consumer protections for people residing in California. Enforcement of the CCPA will begin on January 1, 2020.

Why did California pass the CCPA?

In 2018, following a series of data privacy incidents—including the Cambridge Analytica scandal—an advocacy group called “Californians for Consumer Privacy” proposed a state ballot initiative that would have instituted an extremely strict new consumer privacy law if passed by voters.

To preempt that effort, the California legislature introduced and passed CCPA, leading Californians for Consumer Privacy to withdraw their initiative. While CCPA is considered to break new ground when it comes to consumer data privacy rights in the United States, it features less stringent requirements than the proposed initiative.

What rights do California residents have under CCPA?

Under CCPA, California residents have the right to know who is collecting their personal information (PI) and what is done with that information, and they have the right to access the information, to have it deleted, to opt-out of the “sale” of their personal information, and to exercise all of these rights without discrimination—that is, they can not be denied benefits or rights that people who do not opt-out are given.

Does CCPA apply to organizations that are based outside of California?

The law applies to any organization that does business in California with revenue of $25 million or greater, as well as to businesses that collect data from 50,000 or more California residents or derive at least 50% of their revenues from “selling” personal information. That likely includes most companies based in the state, as well as many U.S. and international organizations with audiences that include California residents.

CCPA and Data

What data is regulated by CCPA?

CCPA only covers the collection, sale, and disclosure of “personal information” in connection with a business purpose. However, because it was passed with the goal of targeting the vast quantities of data handled by social media companies, data brokers, and online behavioral advertisers, it has a number of stringent requirements that give it a far-reaching impact.

Under CCPA, PI includes everything that can identify an individual—name, address, email, bank account number, birth date, biometric info, fingerprint, etc.—as well as household data, audio, thermal, and olfactory information. As such, the definition of PI under CCPA arguably makes this one of the broadest laws in the world related to privacy rights.

What information do brands have to disclose to customers under CCPA?

CCPA includes detailed disclosure requirements that must be updated every year; companies must disclose the PI that they have collected, “sold”, and disclosed for a business purpose over the past 12 months, and ensure that California residents have disclosure, access, and opt-out rights when it comes to their personal information. Organizations are also required to explain the categories of PI they collect and what the purpose of gathering that information is—and they must do so at the point of collection, whether that’s a website, an event, or something else.

How does CCPA define “selling”?

CCPA defines “selling” very broadly, covering activities that few people would associate with the sale of data. Under CCPA, selling doesn’t just refer to the transfer of personal information in exchange for money—the law also considers selling to include the “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."

Because the law doesn’t define “other valuable consideration”, and because the definition of “selling” includes the sharing of data, many brands that don’t sell data (in the vernacular sense of the word) may be required to act as though they do in order to comply with the law. “Other valuable consideration” is being taken to mean any value, so if personal data is shared with a third party and there is any value in doing so for either party, that is potentially a “sale” under CCPA—and that’s one of the reasons that CCPA is considered to be among the broadest privacy laws in the world.

Are there special requirements for brands that are deemed to be “selling” personal information under CCPA?

If a company is “selling” a California resident’s PI under CCPA, that organization is required to include a prominent “Do Not Sell My Personal Information” link on its website that will allow individuals to opt-out of the “sale” of their personal information. Brands that fail to do so face potential fines and other punishments.

Does CCPA have rules about collecting information from minors?

CCPA allows adults to opt-out of data collection and bars businesses from re-asking for permission to collect their data for at least 12 months after that opt-out. However, for children under 16, the rules are significantly more stringent and require an opt-in for the collection of their personal information. And for children under the age of 12, no PI can be collected without parental consent (e.g., the parent or other guardian must opt-in for the child).

Does CCPA apply to data collected before the law was passed?

If a company subject to CCPA collects personal information, then that company must comply with CCPA requirements, even if the data was collected prior to the January 1, 2020 date for enforcement of CCPA. This means that a consumer residing in California can exercise all of their rights with respect to their personal information—for example, that consumer can ask your brand to delete data you collected about them five years ago, and under CCPA your brand would be obligated to do so.

CCPA Enforcement

When is the enforcement deadline for CCPA?

Although CCPA was originally passed in June 2018, organizations were given until January 1, 2020 before they were required to comply with the law.

What are the penalties for failing to comply with CCPA?

The attorney general of California is authorized to fine organizations up to $2,500 for a violation of CCPA; however, these organizations will have 30 days to respond to a notice of non-compliance and won’t be fined if they address the issue during that time frame. One key thing to understand—these fines are for each individual violation, so if 100 people are affected by the violation, the potential fine would be $250,000, rather than $2,500. In addition, if the non-compliance is found to be intentional, fines can total up to $7,500 per violation, raising the potential for significant financial impact for brands even higher.

CCPA also allows individual California residents to file complaints against organizations they believe to be in violation of the law, with potential payouts of up to $750 per person.

Additionally, there is a private right of action under CCPA—meaning an individual can bring a lawsuit, if the individual believes that a company has not complied with the security requirements of CCPA and there has been a data breach with respect to that person’s PI. This individual right of action can lead to class action lawsuits, a particularly sobering possibility in the litigious environment of California, where there are theoretically a number of plaintiff’s lawyers who are eagerly awaiting the opportunity to file these types of lawsuits, and recover huge awards on behalf of large classes of plaintiffs. The awards can exceed the actual damages suffered, making this possibility particularly frightening for companies subject to the CCPA. In addition, proposed regulations under current review are considering implementing a private right of action for all violations of the CCPA, instead of just allowing them where there has been a breach of the statute’s security requirements.

Where should organizations start when it comes to CCPA compliance?

Organizations should ensure that they include the appropriate disclosures on their website and at all points of the collection of personal information from California residents. They should be able to comply with all CCPA requests and if they are deemed to be “selling” personal information of CA residents, they should prominently include a “Do Not Sell My Data” button on their website.

Organizations that are already GDPR compliant are well on their way to CCPA compliance, but the requirements of the two laws are not identical, and companies are encouraged to seek the advice of their trusted advisors to ensure that they have done everything necessary to ensure that they are in compliance with the requirements of CCPA prior to January 1, 2020.

CCPA and GDPR

How do CCPA and GDPR differ?

The European Union’s General Data Protection Regulation (GDPR) was passed in 2016 and inspired by the implicit belief within much of Europe that individuals there possessed a fundamental right to control their own personal data. CCPA, on the other hand, followed from a belief that the state of California had fallen behind in protecting the privacy of their residents and safeguarding them from the misuse of PI (including identity theft, financial fraud, reputational damage, harassment, etc.).

Given these differences, while GDPR focused primarily on ensuring the ownership and control of personal data by each affected individual, CCPA focused on targeting the ability of online companies to carry out transactions involving large amounts of personal information without the knowledge and consent of California residents. To wit, GDPR applies to all activities involved in the processing of personal data—including storing, accessing, and transferring data. CCPA, however, only applies to collection, “sale,” and disclosure of personal information for a business purpose.

In what ways do CCPA and GDPR complement each other?

Both CCPA and GDPR require organizations that collect personal information from individuals to disclose what they are going to do with that personal information and both laws provide a number of similar rights to third parties with respect to their own personal information. Additionally, both laws require consent, transparency, and control by individuals over their own personal information, and both laws impose fines for failing to honor their requirements.

Are differences in the regulatory environments between the EU and California expected to impact enforcement of CCPA and GDPR, respectively?

Because California is a significantly more litigious environment than the European Union and the expectation that regulators in California will be seeking to strictly enforce the law commencing in the new year, it’s likely that we’ll see more organizations being fined for failing to comply with CCPA than we did when GDPR enforcement began. Given that, organizations that choose to wait and see rather than aggressively pursuing compliance with CCPA are likely taking a serious risk.