California has recently taken a broad step to ensure that its residents enjoy unparalleled data privacy rights. The state has signed into law the California Consumer Privacy Act of 2018 (CCPA)(for more details visit Reciprocitylabs.com) following closely in the steps of the European Union’s General Data Protection Regulation (GDPR). If you operate an international business in California, then the CCPA is of absolute significance. This article examines the CCPA and its impact on foreign businesses.
What Is CCPA?
The California Governor approved the CCPA as Assembly Bill 375 in June 2018. The bill was later amended on September 23, the same year through Senate Bill 1121. The act will take effect in January 2020 and is, by far, the most stringent data privacy law in the United States.
When it takes effect, California residents will have the power to view, restrict the use of, and also request the deletion of data that your company may use. The CCPA also gives consumers the right to sue you if a data breach compromises their private information (PI). But what is “private”? According to the CCPA, the following are some of the examples of data that qualify as private data:
- Identifiers such as addresses, online ids, IP addresses, email addresses, social security numbers, driver’s license, passport numbers and other identifiers.
- Biometric information such as fingerprints, retina details, face recognition, and hand patterns.
- Professional and employee-related information.
- Internet activities such as browsing history, passwords, websites, and applications.
- Information on commercial purchases, consuming histories, and services obtained.
- Geolocation information.
Who Must Comply?
The CCPA affects profit businesses doing business with California or those who collect data from Californians. It affects both online and offline sharing of data. In summary, if your business falls under the following categories, you should comply with the CCPA.
- If you operate a business for profit.
- If you do business in California.
- If you collect information (or have information) obtained from California residents.
- If your business decided on its own (or with others), the purpose and the means of processing data from the California residents.
- If your business has an annual gross of more than $25 million.
- If your business buys, sells, receives or shares personal details of more than 50,000 Californian
- If your enterprise happens to give more than 50 percent of its revenue from selling California consumers’ personal information.
- If your business controls or is controlled by a business that meets the criteria mentioned above.
However, there are several exceptions. For instance, businesses that do not fall under the categories above don’t have to comply. Non-profit organizations are exempted from the CCPA. However, even if your foreign company is exempted, you should check if the SB-327 and the California Online Privacy Protection Act.
Impact on Foreign Businesses
As the name suggests, the CCPA only applies to consumers located physically in California. Fortunately, this means that once a California resident steps outside the state, the rights under the CCPA no longer apply. However, for every resident residing in California, your business needs to stay alert.
Perhaps you’re wondering what happens upon non-compliance? Just like other businesses, foreign companies face fines up to $750 for every consumer or actual damages, or whichever is greater. Your company is also subject to class action suits. Consumers have the right to sue you if your company does not take reasonable measures to protect their data.
The CCPA gives California consumers the following rights:
The right to know: A consumer has the right to be informed about a businesses’ practices regarding the collection, use, and disclosure of their PI. For your foreign company, this means that you need a policy to inform consumers on the PI that you collect, use, and disclose.
The right to delete: Consumers have the right to request that you delete their PI. As a foreign company, do you have a policy and procedures regarding the deletion of personal data?
The right to opt-out: Consumers have the right to direct a business that sells their PI to stop. For minors under 13, the sale of data must be accompanied by affirmative authorization from a parent or guardian. For minors between 13-16, your business cannot sell PI without permission.
The right to non-discrimination: A business cannot discriminate consumers for exercising any of the rights above. This means that you cannot deny consumers services for choosing to exercises any of the rules above.
As with all compliance, costs are critical. According to a report by the California Department of Finance, a firm with fewer than 20 employees might spend $50,000 upfront to become compliant. On the higher end, foreign companies with more than 500 employees may pay more than $2 million upfront to become compliant.
Bottom Line
Just like the GDPR, the CCPA has an extensive outreach, affecting your international business even if it does not have offices in California. Whether federal law supersedes the CCPA or not, preparing for compliance is critical for all foreign businesses.
