The United States’ Response to GDPR
It’s hard to believe that it has been over a year since the GDPR enforcement date back in May of 2018. As the tech and marketing industries are just now getting a grasp of the new privacy regulations in the EU, the United States has been to making changes of its own. Back in September of 2018, California passed the California Consumer Privacy Act (CCPA), which will be enforced starting January 1, 2020. These new privacy regulations closely mirror GDPR, but there are distinct differences. Unlike GDPR, the CCPA is a bit more prescriptive and less ambiguous. Unlike GDPR, there are minimum business thresholds to qualify for regulation under the new regulations.
Companies need to prepare for CCPA if they meet any of the following requirements:
- Your company has a gross revenue of $25 million or more
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Your company earns at least half of its income from the sale of consumers’ personal information
What this boils down to is, if you are a marketer and work for a company that stores and/or processes a lot of personal data about consumers, you need to pay attention to these new regulations.
What Is CCPA?
CCPA is intended to protect the rights of California residents by helping consumers know what data is being collected about them and the right to access/modify it. Here is a summary of the rights of consumers:
- Right to own your personal data – companies are to disclose what data points they collect and who they sell data to. Consumers also have the right to say no to the sale or collection of their data. This does not apply to anonymized data.
- Right to control the personal data that companies store – should a consumer opt out of the sale of their personal data, companies cannot discriminate against them by charging more or denying services.
- Ensure companies secure your personal data – it is the responsibility of companies that store/process personal data that they have reasonable security measures in place.
All of this sounds very familiar to GDPR’s regulations, but there are differences. Websites that collect and sell personal data will need to provide an opt out on every page that collects personal information.
So What Does CCPA Mean for Marketers?
California isn’t the only state that is making its own privacy regulations – there are over 10 other states that are in the process or have passed new regulations around internet/data privacy. That means that until the US government creates a unified regulation on data privacy, the burden will be on marketers to monitor and understand the landscape.
As you may have expected, non-compliance with the CCPA can result in pretty steep fines. Unlike GDPR, consumers have the right to sue companies who are not abiding by the new regulations. Intentional violations of CCPA can cost companies $7,500, while unintentional infractions will still cost companies up to $2,500 as well. A big difference between GDPR and CCPA is that it gives the right for California residents to sue companies for damages for losing or exposing their personal information without the resident’s consent. Fines can range from $100 to $750+ per infraction. This means that if you accidentally expose PII of 10,000 people, fines can reach (or exceed) $750,000.
Very recently, California passed 4 new amendments to the CCPA. This proves the need for marketers to continuously monitor data privacy regulations. The new amendments help to remove some of the ambiguity from parts of the regulation as well as add in a 1 year exception for B2B contact and employee information. The assumption being that California will pass a separate privacy act around employee data within the next year.
At a high level, to help comply with CCPA, companies should do a few basic things:
- If your company sells personal data, there needs to be a link for consumers to opt out of the sale of their personal data.
- Maintain an up to date privacy policy that outlines what personal data is collected and what it is used for. This should include a method or workflow for users to exercise their “right to be forgotten”. For those who already comply with GDPR, this step should be taken care of.
- Have contracts in place with your vendors that clearly outline each party’s responsibilities. Data Processing Addendums (DPAs) or other contract addendums are a great way to do this.
How Sigstr Is Preparing for CCPA
Sigstr has created a California Service Provider Addendum to append to all new contracts going forward. This document further solidifies the responsibilities of Sigstr and its customers to abide by regulations and obligations set forth by our terms of use. Sigstr’s GDPR features are very relevant for CCPA – the ability to delete, export, and modify data about specific consumers will be very useful for CCPA requests.
Sigstr is also SOC 2 Type II compliant in all 5 AICPA Trust Principles, including Privacy. An independent auditing company tested and confirmed the controls we have in place around privacy, data governance and GDPR standards.
Similar to what we discussed in our GDPR blog post a year ago, compliance is an ongoing activity and not a project with a start and end date. Since regulations change almost weekly, it is more important than ever to research and understand the current and future standards of data privacy.