How California's new data privacy act impacts modern businesses
By Max BurkhalterJanuary 7, 2020
As large-scale data breaches become commonplace, consumers and legislators around the U.S. are growing progressively more concerned with data privacy and security. According to research published by Risk Based Security, the first half of 2019 saw more than 3,800 publicly disclosed breaches, which exposed upwards of 4.1 billion sensitive records. To help combat the sharp increase in data theft and identity fraud seen over the past few years, lawmakers in California passed a new consumer privacy act that went into effect on January 1, 2020. While the wide repercussions of this legislation are still unknown, it's clear that the California Consumer Privacy Act will have significant ramifications for the data-sharing economy moving forward.
Breaking down the CCPA
Now that the CCPA is in effect, businesses are grappling with a range of new regulations that govern how consumer data should be managed. Under the CCPA, any covered business that collects, stores or purchases data on California consumers must uphold five new rights respecting personal information, including:
1. Right to notice: Businesses must inform consumers at (or before) the point of collection that their personal information is being gathered. They must also disclose what categories of data will be collected and how they will be used. If a company changes its practices and starts collecting different types of information, it should notify consumers by email or through a visible alert message on its website. Other disclosures may also apply, such as providing descriptions of consumer rights and how they can be exercised.
2. Right to access: California consumers now have the right to request businesses disclose the categories of personal information they've already collected and the sources from which the content was obtained. The right to access also extends to the commercial purposes of gathered data, meaning companies must carefully track which specific pieces of information they hold about each consumer and the third parties they share them with. Businesses that sell consumer data are also subject to consumer requests for access.
3. Right to opt-out: Under the CCPA, consumers in California have the right to stop the sale of their personal information at any time. This provision will have a major impact on the data-sharing economy, as it affects both businesses that sell personal information and those that buy it. Companies must then wait at least 12 months before asking consumers to opt back in.
4. Right to delete: The most impactful rule set forth by the CCPA is the right to delete, whereby consumers can request that businesses erase any stored personal information. There are, however, some exceptions to this regulation - companies do not need to delete consumer data that is necessary for protecting or defending against legal claims, for example. What makes the right to delete so disruptive is that companies often use personal information for several different purposes and replicate data points many times over.
5. Right to equal services and prices: Alongside the above data-sharing rules, the legislation also prohibits businesses from discriminating against consumers who exercise their rights under the CCPA. Companies cannot deny goods or services, charge different prices or provide a different level of quality to those who have opted out or requested their personal information be deleted. That said, a business may offer financial incentives (discounts, promotions, etc.) to consumers who allow their data to be collected and sold, but only with prior opt-in consent.
What makes the CCPA so challenging to navigate is that it necessitates that covered businesses integrate a compliance-focused tracking system and data infrastructure that is accurate and scalable. Without a monitoring framework in place, companies may be unable to comply with consumers' right to delete in a timely fashion.
Understanding CCPA compliance
While the CCPA primarily applies to companies that do business in California, any out-of-state retailers that sell to consumers in The Golden State must also be compliant. That said, the legislation only affects large companies or those that have made the sale of consumer data a core part of their operations. As pointed out by a 2019 article from Fortune, the CCPA covers three types of businesses:
- Companies with more than $25 million in gross revenue
- Organizations that possess data on more than 50,000 consumers
- Brokerage firms that make more than 50% of their revenue from selling consumer data
Businesses that fall into one or more of these categories, but fail to remain compliant, are subject to a $7,500 penalty for each intentional violation. Additionally, individual consumers can sue for $100 to $750 following a data breach that jeopardizes their personal information. Considering the CCPA was just put into effect on January 1, 2020, it's still unclear how California's attorney general will enforce these penalties moving forward.
Staying compliant with the CCPA will likely require an agile and scalable data storage architecture, which leaves businesses that operate their own data centers at a clear disadvantage. Luckily, Perle offers powerful connectivity tools, like our industrial-grade Ethernet switches and console servers, that can help organizations prepare to comply with existing and future privacy laws. Read some of our customer stories to learn more.