The California Consumer Privacy Act (CCPA) scheduled to become effective 1 January 2020 gives California consumers new rights with regard to their personal information.
Although the CCVPA is still a work in progress, it's known that specific rights of consumers under CCPA will include the rights to:
- Know what personal information is collected, used, shared or sold
- Delete personal information held by businesses and their service providers
- Opt out of the sale of personal information, except that children under age 16 must opt in
- Not be discriminated against in price or service as a result of exercising privacy rights under CCPA
The CCPA will apply to businesses that meet one or more of these criteria:
- Gross annual revenues > $25M
- Buy, receive or sell the personal information of 50K or more "consumers, households or devices"
- Derive 50% or more of annual revenues from the sale of consumers' personal information
New obligations of such businesses under CCPA are:
- Provide notice to consumers before collecting data
- Create procedures for consumers to "opt-out, know and delete", including a "Do Not Sell My Info" link on websites and apps
- Respond to consumer requests to know, delete, opt-out within specific timeframes
- Verify the identity of consumers who request to know or delete
- Disclose financial incentives offered for retention or sale of personal information
- Maintain records of consumer requests
Penalties for CCPA non-compliance can reach $7500 per affected customer.
How CCPA is different from the EU GDPR:
- CCPA is focused on allowing consumers to opt out of the sale of their data. Absent opt-out, publishers will be able to sell consumers' data.
- CCPA doesn't require getting consumers' permission to use their data fior ad targeting.
- CCPA doesn't cover location data providers, or emerging data-collection tools like Internet-connected TVs or smart cars or appliances
The Interactive Advertising Bureau (IAB) is drafting a CCPA Transparency and Consent Framework for Publishers and Technology Companies that includes a master contract for publishers' supply-chain partners, along with technical specs. The IAB framework will continue to evolve until California officials have firmed up the CCPA itself
And this is just the beginning.
In June, Maine legislators passed An Act To Protect the Privacy of Online Customer Information which prohibits broadband ISPs from using, disclosing, selling, or giving access to almost every category of information flowing from a consumer's use of Internet service.
New privacy regulations are under development by other US states including Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota and Rhode Island.
What consumer personal information does your company have? Better find out and start developing systems for complying with rules like those in the CCPA.