The California Consumer Privacy Act was passed by lawmakers on June 28, 2018. The act will take effect on January 1st, 2020. But some parties started complying as soon as January 1st, 2019. Software Developers and Software Companies as a whole are directly affected by this new law, prompting them to readjust their strategies and actions to be taken in the near future.
The California Consumer Privacy Act, widely known as CCPA or AB 375 is one part of the Consumer Privacy Legislation. The CCPA passed into California law on June 28, 2018.Some have described this bill as the “GDPR of the United States.” It empowers consumers when it comes to their private data. And it basically affects most tech companies in California, including Google and Facebook who were both publicly addressed for data violation.
Why should I be concerned?
The law does not apply to all businesses. It primarily addresses data companies and tech giants. And there has been lots of back-and-forth around it that suggests slight modifications and adjustments before fully going into effect.
Despite the amendments, CCPA compliance should be an ongoing activity for companies starting now. As any activity of sales of personal information will be disclosed for the last 12 months since the start of the law. which means disclosures will be as early as January 1st, 2019.
Why should I be concerned? The CCPA will be considered as a benchmark that will likely influence legislation going forward. And with the strong wave of backlash following recent privacy scandals across lots of platforms, the new law shows no signs of slowing down, so amendments will not affect the core concept of CCPA.
What Will it affect?
The world describes CCPA as the softer version of GDPR. However, it is in no way softer on demands or penalties. CCPA sheds the light on:
● User Control: Users have the choice to opt-out (or opt-in) from sharing their data. Users also have the right to recall their data, to have it erased, and the right to privately sue for damages if a company breaches the mutual agreement. A pending amendment allows for giving users the right to sue for privacy failures.
● Transparency: Users get to know which data is being collected and for what purposes. If data is sold or shared, they should know the full details of the sale. Users are able to know if a company has sold data to anyone in the last 12 months regardless of whether or not the practice has since stopped.
● Data security: companies are subject to fines and lawsuits for any personal information they fail to protect from hacks or misuse (e.g. internal employees looking at data without a business motive).
What kind of businesses are impacted?
The law is generally aimed at two classes of businesses:
● Data brokers: companies that make the majority of their revenue by sales of personal information of customers or that trade more than 50,000 records per year.
● Medium-to-large companies: companies with greater than $25 million in annual gross revenue.
This means that the majority of small businesses, including most tech startups, are unaffected.
How are GDPR and CCPA different?
Mainly addresses businesses involved in sharing or selling information, with some requirements about the collection of information
Mainly addresses all businesses that process information, regardless of selling or sharing information.
Empowers consumers and requires businesses to be significantly transparent about collection, use, disclosure and sale of personal information
Empowers consumers and requires businesses to be significantly transparent about processing personal data.
Companies are forbidden from selling personal information if they did not receive consent from the consumer or provided explicit notices
Companies are forbidden from any sort of use of personal information if they did not receive consent, legitimate interest, contract agreements, vital interests, public interest or legal obligation from parties involved
If selling data, companies must give consumers the opportunity to opt out of that sale.
Before any data could be exchanged, companies must give consumers the right to opt in
CCPA’s most significant trait is allowing for a massive increase in data transparency when it comes to data collection and use. Consumers have the freedom to provide their information in exchange for the services they desire, which means things like giving up an email address before getting access to a whitepaper will no longer be obligatory. More importantly, the law is likely to spread well beyond California and change many practices in the tech industry. Compliance initiatives should start immediately if not already started.
MASS Analytics Team