DatawalletDatawallet

The CCPA Beyond the Californian Border

Regulation ¦ February 25th, 2020, 11:00 pm

The International Association of Privacy Professionals (IAPP) estimates that over 500,000 U.S. businesses will have to comply with the California Consumer Privacy Act, and nearly 80% of those are located outside of California.

CCPA Impact

Companies located outside of the state would significantly lose out by ignoring the Californian market altogether. California has the fifth-largest economy in the world and would rank just below Germany if U.S. states were considered on a global economic scale. 

Besides having a direct impact on many businesses outside of California, the CCPA has also inspired law-makers in states across the U.S. to embark on similar data privacy efforts. In the wake of the CCPA, the number of data privacy laws across the U.S. has dramatically increased. In 2019 alone, there were over 150 pieces of legislation considered that specifically dealt with the protection of consumer data in the U.S. on both the state and federal level. For a full overview of the comparison of state laws in the U.S., see our state privacy law comparison chart. We also have a piece on the two most notable federal proposals, COPRA and the CDPA.

Such a patchwork of differentiating privacy laws is an unpleasant outlook for businesses with a U.S.-wide customer-base, who need to be able to adapt to these differentiating standards. The legal and operational costs pile up as more and more state privacy laws come into effect.‌ Companies such as Microsoft, have jumped the gun (and generated excellent privacy PR) by applying the CCPA requirements to their entire U.S. customer base. 

CCPA Enforcement

The CCPA remains the most onerous data privacy law in the U.S. in effect. Penalties under the CCPA can be sorted into regulatory violations and data breaches. For the most part, the California Attorney General will be in charge of CCPA enforcement. However, Californian consumers are also granted a private right of action if a business violates the CCPA’s security regulations by exposing their personal information. Companies can be penalized up to $2,500 for each regulatory violation of the CCPA. If that violation is viewed as “intentional” the penalty can increase up to $7,500. Considering how California’s Supreme Court has previously counted violations, experts believe that CCPA violations will be judged on a per-capita basis

For instance, if a business fails to notify consumers with a description of their new rights under the CCPA, the California AG could impose a $7,500 fine for every California consumer that visited their website during that time frame without the notification. So if 10,000 people visited during that time frame, the company could potentially receive a $75 million fine from the AG. For every consecutive violation, the AG could decide to impose similar hefty fines.     

CCPA Compliance Requirements

In order for non-Californian businesses to meet the CCPA’s requirements and comply with their consumers’ new rights, they must be able to: 

  • Understand the data they have in order to provide proper notifications and disclosures, and then provide those notifications and disclosures.

  • Create a process to accept and handle consumer data requests.

  • Properly train their employees regarding the CCPA and their processes created to comply with the law.

Federal Legislation

In September 2019, 51 top CEOs in the U.S. pushed for new federal privacy legislation. And there have already been several attempts to rethink the U.S. processing of personal data on the federal level. One of the most contentious issues among members of Congress appears to be whether federal law should serve as a baseline requirement or preempt stricter state laws.  However, Democratic and Republican sides have found some important common ground in giving individuals extensive rights and robust controls. For instance, the most notable proposals for federal privacy law (COPRA and the CDPA) have in part gone beyond the CCPA by requiring an opt-in for the processing or transfer of sensitive covered information.

Conclusion 

The CCPA targets data that relates to Californian consumers, regardless of where the regulated businesses are located in the world. It marks an important step forward for U.S. consumer protection rights and is just one of the many up-and-coming data regulations triggering tectonic shifts in data privacy across the U.S. 

If you have questions on how your business should tackle the CCPA, or on data governance in general, please contact the Datawallet team at any time. Datawallet provides businesses with all the tools they need to comply with today’s and tomorrow’s data regulations. We also have a self-service CCPA Readiness Questionnaire, or you can and request a quick, free CCPA Readiness Assessment from our experts. You can find out whether the CCPA applies to you with our self-service CCPA Questionnaire. And if you want to jump right in, start your free trial of our easy-to-use compliance platform here.

Get the Data Digest in your inbox