CCPA: Understanding California’s Data Privacy Law
With every “please accept our cookies” overlay we have to click through, we are reminded of the changes the GDPR has made to the web. Now that 2020 is here, America’s first major attempt at internet privacy regulation is ready to roll out. As is often the case in matters of technology, California is in the vanguard here. The state’s California Consumer Protection Act was signed into law back in 2018, and on January 1 it went into effect. Many ecommerce merchants inside and outside of California are now wondering, what impact will this have on them and what do they need to do to avoid running afoul of the new law?
In theory, if you’re a Texas merchant and you block internet traffic from everyone but other Texans, you could get away with ignoring the CCPA—but as soon as you make your site accessible to web surfers from California, you’re subject to the CCPA’s rules.
While hyperlocal marketing may be trending, we don’t think there are many merchants out there willing to restrict their potential customer base that much. In practice, the CCPA is going to be a nationwide law.
What is the Point of the CCPA?
The CCPA was brought to the California State Legislature to provide residents with new digital privacy protections under the law:
- The right to know what personal data websites are collecting from them
- The right to know if (and to whom) their personal data is being sold or shared
- The right to refuse to allow their personal data to be sold
- The right to access their personal data
- The right to ask companies to delete some or all of their personal data
- Protection from discrimination for having asserted any of their privacy rights
Good news for private citizens, to be sure, but a daunting list of accommodations for merchants and web administrators to implement.
Who is Subject to the CCPA?
Any for-profit organization doing business in California that collects personal data belonging to its users or customers must comply with the CCPA, provided they meet at least one of these additional conditions:
- Buys or sells personal data belonging to at least 50,000 individuals or households
- More than half of annual revenue attributable to the sale of personal data
- Annual gross revenue greater than $25 million
Smaller merchants, breathe a sigh of relief. You’re safe from the CCPA—for now. Just make sure you have a clear understanding of what the CCPA considers “personal data,” or you might be meeting that first condition without even realizing it.
“Personal data” as defined by the CCPA can include not just the usual identifiers (name, address, social security number, and so on) but also information related to your internet browser or device, products you’ve purchased (or even researched), biometric data, geolocation, education and work history, and “customer persona” information created with inferences from other data points.
What Does the CCPA Require of Merchants?
There are a number of things that merchants who meet the above criteria must do in order to comply with the CCPA. One of the most significant requirements is that they must provide a “Do Not Sell My Personal Information” link on their website’s home page that will allow customers to opt out of allowing their data to be sold to other parties. Once a customer has opted out, the company must wait twelve months before they can ask them to opt back in.
To satisfy the customer’s right to view and delete their data, a method for requesting access must be provided. At the minimum, this must be a toll-free telephone number.
Companies must also put a process in place to obtain consent to share personal data belonging to minors. For children under 13 years of age, a parent or guardian must provide the consent; anyone between the ages of 13 and 16 can provide affirmative consent themselves.
What Happens if a Merchant Doesn’t Comply?
So far, it’s hard to say what, exactly, will happen to merchants who fail to comply with CCPA regulations. The most direct penalties are the fines spelled out in the law: $7,500 for each intentional violation and $2,500 for each unintentional violation.
Who enforces these penalties?
The California Attorney General. Does the California Attorney General have the time and resources to go after CCPA violators in Michigan or Nova Scotia? Probably not, but eventually some serial violator will find out just how much disregard for the CCPA it takes to stir the Attorney General into action. We would advise merchants to abide by the law regardless.
Individuals whose CCPA rights have been violated have the right to bring suit to collect statutory damages, but the “cure provision” of the CCPA requires them to give notice to the company first, and if the company corrects the violation the individual is prohibited from taking further legal action related to that violation. The specific remedies for the various possible violations are as yet undetermined.
While the enforcement mechanisms of the CCPA remain somewhat vague, people who worry about the exposure and commodification of their private data have reason to cheer the CCPA, which to date is the most wide-ranging consumer data protection law to apply to American businesses. While the Silicon Valley tech giants were opposed to the law and some thought they might succeed in defanging it through the legislative amendment process, the CCPA seems to have reached its launch date relatively intact.
One last question we can’t forget: what impact, if any, will this have on chargebacks? While the law does not focus on payment data, the protections it requires businesses to put in place will help safeguard personal data, which has the potential to reduce identity theft. This should help cut down on true fraud and account takeover cyberattacks and the chargebacks that result from them. That’s one aspect of the law we can definitely appreciate.