In 2018, the California State Legislature signed the toughest data privacy law in America to date. What started as a ballot initiative, became a disruptive new law that affected most for-profit companies conducting business in California. More specifically, the law affects companies that meet any of the following criteria:
- Gross more than $25 million in annual revenue
- Store the personal information of 50,000 or more California residents
- Earn 50% or more of their annual revenue from selling that personal information
That’s a lot of companies.
You’ve likely noticed many businesses now have a data privacy policy and cookie-collection opt-out button pop up on their websites. Here’s an example.
This pop-up demonstrates how brands take increased care when collecting personal data, giving consumers knowledge and control over when and where their data is stored, and how it may be used.
When CCPA went into effect on January 1, 2020, consumers gained a handful of rights:
- The right to know what personal information businesses collect, use, share or sell about them as well as why they do so
- The right to delete personal information companies have collected and ask their service providers to do the same
- The right to opt-out from businesses selling their personal data
- The right to non-discrimination of service due to exercising their CCPA right
- The right to notice at collection about the categories of data being collected and its purpose of use
- The right to view privacy policies that must be provided by companies
From the day CCPA was passed until its first day in effect in 2020, companies had less than two years to get their organizational systems and data in line. This required all the departments that collect or use customer data to understand the regulation and immediately begin working towards compliance. For companies with customer data in dozens or even hundreds of siloed legacy systems and databases, implementation proved to be a challenge, to say the least. To make things worse, the law itself has already undergone numerous changes since enforcement began—threatening to lock companies into an endless cycles of IT projects to keep up with the new requirements.
The CCPA has already seen three rounds of proposed modifications in under a year that clarify, expand, adjust or even eliminate aspects of the initial legislation. The California Attorney General announced its final modifications to CCPA on June 2, 2020 and mandated that compliance must be met by July 1, 2020 to avoid fines.
As of December, California’s Attorney General has not levied any fines for CCPA non-compliance. The state has been lenient with companies rushing to gain and maintain compliance. However, when the fines inevitably start to roll in, here is how the penalties will be calculated:
- Civil penalties for non-compliance that are deemed unintentional start at $2,500 per violation. To note, fines are calculated on a per capita affected basis, so each user whose rights are violated represent a violation. For example, a company that sells 100 data elements of user information that requested to opt-out would face a penalty of 100 times $2,500, so a $25,000 penalty.
- Even worse, if a CCPA violation is found to be intentional, infractions receive a higher fine of $7,500 per violation. As an example, say a large retail chain with 5 million consumers in California was to knowingly violate CCPA regulations, this business could be fined more than $38 billion.
- Additionally, California citizens have the right to sue a company if their data is jeopardized because of a data breach. This is contingent on whether the company implemented “reasonable security procedures”, but there isn’t a clear definition of what this means exactly. Regardless, companies should take all necessary measures to become compliant and avoid legal repercussions.
The attorney general does give some grace. If companies can fix the compliance issue within 30 days of notice, they’ll only receive a warning. In this case, speed and agility is essential for organizational data privacy management and avoiding hefty fines.
There is another, arguably greater, cost to non-compliance—the cost of a negative reputation and losing consumer trust. In 2018, Information Age found that one-third of consumers would halt doing business with companies that have been breached or fined for non-compliance. This soft cost has long-term effects on companies that financial gains can’t fix, which includes reputational damage, loss of investors and vendors, and poor employee recruitment, among the loss of loyal consumers, just to name a few.
Regulations will continue to evolve and replace current legislation. Even the CCPA will be largely amended and expanded with the California Privacy Rights Act (CPRA), which has been approved after less than a year of CCPA’s implementation.
With regulations changing on a dime, the past couple of years have been a wake-up call to companies with traditional, outdated IT systems that silo data and hinder top-to-bottom compliance. To keep up with changes in compliance now and in the future, companies must have a modern, flexible data privacy management solution in place to protect their customers’ data.
Forward-thinking companies are achieving regulatory peace of mind with solutions like K2View Data Privacy Management. To learn more about CCPA and data privacy compliance solutions, connect with us here.
