Consumers have understandably been concerned about their personal information and the ways businesses with interact with it. That concern has spawned a host of new legislation, not only in the United States, but around the globe. The recent passage of General Data Protection Regulation (GDPR) in the European Union gave consumers sweeping new rights regarding their personal information, including the requirement that they give their consent to the ways in which personal information is used. Now, new legislation in the state of California seeks to give similar rights and protections to the citizens of that state.
What is the CCPA? In the U.S., among the more influential new pieces of consumer protection legislation is the California Consumer Privacy Act (CCPA), which becomes effective January 1st of next year. The new Act will impact awide range of businesses in the state—and its influence extends beyond California—already, 15 other states have introduced privacy legislation similar to California's. Although not as expansive as GDPR, the reach and impact of CCPA are substantial.
This is how CCPA is defined by Data Privacy Monitor:
"The California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect on January 1,2020…Among the many differences between the CCPA and existing U.S. privacy legislation, the definition of personal information under the new law is very broad and includes data elements not previously considered personal information under any U.S. law. In addition, the CCPA introduces new privacy rights for Californians, such as the right to know what personal information a business has collected about them, details on how the business uses and discloses the data, and the right to request that the business delete that information."
Under CCPA, a business is required to disclose what personal information it collects whenever a consumer makes a "verifiable request". In those circumstances, the business must disclose:
In addition to these requirements, businesses will be obligated to delete personal information they've collected if a consumer requests they do so—and they can't discriminate against consumers who make such requests. Finally, if a business intends to sell consumers' personal information, they will be required to disclose that fact, and to give consumers the right to "opt out" of the sale of their personal information.
Companies that violate the provisions of CCPA are subject to an injunction and for civil penalties of no more than $2,500 for each violation. If the violation is judged to be "intentional," the fine increases to $7,500 for each violation.
Also, consumers can bring a civil action against the business. The amount they can recoup is not less than $100 or more than $750—or "actual damages" (as interpreted by the court), whichever amount is greater.
Not every eCommerce business in California will be substantially impacted by the new legislation. The major provisions of CCPA will however apply to any business (including any eCommerce business) in California if any of the following conditions is true:
Many businesses are understandably taking a "wait and see" approach in case the provisions of CCPA are changed before its official roll out on January 1 of next year. There is however a high likelihood that some CCPA regulations will almost certainly be included in the final legislation. That means there are proactive steps your business should be taking now to prepare for CCPA, including the following:
The bottom line is this: CCPA will become the law of the land starting in January. Its provisions are, for the most part, straightforward and unequivocal—and the penalties for violations of the CCPA could be damaging to your eCommerce business. To be prepared, study the new legislation carefully, get legal advice if you need to and take prudent action now to ensure that your business will be fully compliant.