The California Consumer Privacy Act of 2018, also known as the CCPA, gives California consumers new rights to their personal data. In this blog post, we will review how the CCPA affects businesses, consumers, data, the rest of the country, and possibly even you.
Lately, there has been a significant amount of privacy news related to data breaches, unapproved information sharing, and even the outright sale of consumer data that was originally provided to social media, commercial, and retail venues. This has caused many consumers to ask, “what happens to my information after it’s collected?” “what is it used for?” or “why do you really need my data at all?” Unfortunately, these questions have been largely ignored by companies globally, evidenced by the increasing number of robocalls, email campaigns, sales advertisements, and data mining activities that continue to target unsuspecting consumers.
Why? Quite frankly, data has become a form of wealth, whether it is to the hacker trying to socially engineer or steal identities, the company that is trying to analyze consumer habits to sell better, or even the company who wants to hold your data hostage, so that you stick with them. Your data means something to them and, likely, that reason wasn’t conveyed to you upon collection.
Because of these growing frustrations, a movement has begun with an emphasis on protecting consumer privacy, and the lawmakers in California have heard it. Steps are being taken to facilitate change and provide consumers with a new sense of security and peace of mind. The California Consumer Privacy Act was enacted in June of 2018 to aid in the security of personal information. This law is scheduled to be in full effect by January 1, 2020 and is designed to return control of personal information to the individual or at least get the ball rolling. Like the global impact of the General Data Protection Regulation (GDPR), the CCPA could be the turning point for the transition of consumer privacy across America.
For example, just as with GDPR, the CCPA will require organizations to focus on the information that is collected from its individual consumers and be able to provide transparency to them as to how and why their information is collected, protected, shared, processed, and eventually destroyed. The new law has a specific focus on California consumers, but can be applicable to any businesses that collect their personal data, meaning that its influence ultimately stretches outside of California. That’s right, any company that handles the data of a California resident could be impacted. Therefore, as companies across the country begin to adhere to CCPA, or at least ponder the ramifications, it is likely that this could be the beginning of a state by state rollout of new privacy protection laws.
Before that wave gets rolling though, let’s first dig deeper into what CCPA really is. One could say that data subject rights laid out under the CCPA carry an optimistic view of how personal information should be handled in a utopian environment. California starts by defining personal information as:
“Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Personal information does not include publicly available information that is lawfully made available to the public from federal, state, or local government records” California Code, Civil Code - CIV § 1798.80 (2010).
Aptly so, a consumer may want much of this information to remain safe, private, and only used as needed; however, in many cases this information is used as a live representation of an individual and is bartered and traded by businesses and corporations.
To reduce the risk associated with personal information distribution, the CCPA has five elements with which to comply. According to the full text of the privacy act, each consumer has the right to:
- Know what information is being collected about them.
- Know if their information is sold or disclosed (and to whom).
- Simply say “no” to the sale of their personal information.
- Access and delete their personal information to prevent it from being sold or accessed.
- Receive equal service and price, even if they exercise their privacy rights, with no stigma or differentiation in service or products. Businesses may not offer consumers different tiers of service based on their desire to be anonymous; however, the law does allow businesses to recover the reasonable additional costs of processing.
By now, you may be asking yourself, “how does this apply to me?” The CCPA applies to California residents, employees, and certain companies that do business with California consumers. A qualifying business must be for profit, collect personal information, determine the purpose of the collected information, do business in the state of California, and earn annual gross revenues more than twenty-five million dollars. Similarly, businesses that buy or sell the covered personal information or derive at least 50% of their annual revenue from sales of this information must also comply. For the record, Aires never has and never will sell the personal information of our clients or their transferees; however, we still are considered a statutory “business” that must protect California consumers’ personal data and enable them to exercise their rights.
Not everyone in California is covered though. The CCPA only affords consumers, defined as a natural person or employee residing in California, these rights. The law does not protect California consumers who do business with a non-Californian business while outside the state of California, or non-California residents doing business in California! Got that?
What if a company chooses not to abide by the CCPA and still provides services for California consumers or does business without protecting an individual’s rights? Fines for violating the CCPA can be $2,500 per negligent violation, or $7,500 per intentional violation – whichever is greater. Consumers can also elect to recover actual damages if a data breach hurts them. Since California has the fifth biggest economy in the world (larger than all of the European Union member nations except for Germany) the financial implications could be quite significant, just like GDPR.
Rest assured, Aires takes data protection and data subject rights very seriously and employs several means to ensure the security and privacy of all customers. We understand the need for keeping our clients’ vital information private and secure, and we maintain compliance with all U.S. and International Data Protection Laws, based on industry best practices, as well as maintaining PCI-DSS compliance, a SOC 2 Type II report covering all five Trust Services Principles and Criteria, and others.
If you are a California resident, this law permits you to request information regarding the disclosure of your personal information by Aires to third parties for contracted services. To make such a request, please send an email to privacy@aires.com or write us using the information below:
CA Privacy Rights
Aires
6 Penn Center West
Pittsburgh, PA 15276