Do you remember GDPR? When GDPR was enacted in the European Union there were a lot of questions and in the time since some of them have been answered. GDPR was the first sweeping legislation that tackled consumer data and what companies can do with that data (and many more things). The world did not end and the wheels of commerce did not come to a screeching halt in either Europe or around the world. It was also a matter of time until similar legislation came to the US and on January 1, 2020 the first legislation, the California Consumer Privacy Act (CCPA) takes effect. Are you prepared?
GDPR Here In The US?
Now of course you are probably saying to yourself that just like since you do not do business in Europe GDPR does not apply to you, you are not in California so CCPA does not apply to you either. In some ways that is true but just like with GDPR, it is a matter of time before other legislation will be enacted and at some point it is bound to affect you.
CCPA was passed in September 2019 despite a powerful lobbying effort from Silicon Valley to stop it and was signed into law by Governor Gavin Newsome in October. The legislation promises sweeping changes to how Californians (and Americans) control their data and what companies do with it. Companies will have to tell consumers what data they collect and companies will need to give customers the ability to opt out of data collection. Companies that suffer from data breaches also have to disclose a data breach (why something like that is not already a national law is hard to fathom).
California Law, National Potential
Since this is a state law, yes in theory it only applies to companies that operate in California and provides these protections only to Californians. That may not apply to some businesses certainly here in Central Pennsylvania as the customer base is local or regional but if your business has the ability to do business in California you may be subject to this law.
The CCPA though does not apply to all businesses. To start it applies only to large companies with more than $25 million in gross revenue or with customer records of 50,000 or more customers. It also applies to companies that make 50% or more of their revenue by selling customer data. You can see why Silicon Valley would fight this kind of legislation.
For companies that meet those qualifications, even those based outside of California, if you do business with Californians you will need to meet compliance. This essentially makes CCPA a national law and there is a very good chance that other states will simply copy this legislation and enact it. At this point the only body that can supersede this is at the federal level and no one is expecting much from them at the moment.
Does This Apply To You?
If this applies to you and you have not started to meet compliance you have a big headache in front of you. Do you know how much data you have on customers? Do you know where it is stored? If you don’t, you had better figure it out. Your privacy policy will need to be updated as well. If you need help with that check out our friends at Termageddon and they can get you squared away.
Compliance will be expensive, time-consuming and distracting, especially at this time of year during the holiday season. But meeting compliance will be less than the fines imposed, up to $7,500 for each intentional violation and the ability for individual consumers to sue for up to $750 each in the event of a data breach. Companies found in violation will be given 30 days to fix any violations or they will be subjected to the fine.
Confused Consumers And Business Owners
Not everyone of course is on board with this law. Many lawyers believe that the penalties and what it requires are confusing and the judiciary will be required to sort through it to enforce it. Some business owners are fretting believing that consumers will think that they are storing information that they are not and will thus see a flurry of lawsuits that they will be required to fight. Some also believe that this might prevent someone from wanting to open a business in a state that is already known for miles of red tape when it comes to that.
In reality, it took some time for GDPR to be sorted through and once it was it enacted and companies got used to it compliance was easier. Many people’s worst fears have not come to pass. Chances are there will be a period as the law is enacted and issues are sorted out but in the end it will achieve its goal and that is better protection of customer data and hopefully fewer data breaches. That is better for everyone.
It was a matter of time for something like this to happen and California was quick to begin the process, so it is no surprise that theirs is the first to be enacted. Many companies potentially affected have met GDPR compliance and this will not be an issue as many of the same protections are now applied in the US. Of course not all companies are affected and for many of Nicely Done Sites’ clients they will not be, but there is going to come a time when you will be. While you may not need to meet compliance at the end of the month this is something that you need to start thinking about.
Chances are a national level law will be similar so you now have a framework to start to meet. At the very least, what you do with the data can affect you and your customers. Treat it responsibly and make sure you don’t have a data breach.