Businesses need to be concerned with consumer protection and privacy rights. This is even more important now because new legislation in California called the California Consumer Privacy Act (CCPA), impacts every business in the United States, of a certain size or type, which has a single business contact or customer in California.
Most businesses that have an online presence have customers or do business in California. The e-commerce market for customers from California is enormous. Fortune reports that California is the fifth-largest economy in the world and is larger than the economy of the UK.
The expectation is that many other states will follow the lead taken by California with the CCPA regulations by improving privacy rights with new legislation in their states as well.
How Important is Consumer Protection?
Forbes reports that the new consumer privacy act in California, which goes into effect on January 1, 2020, is changing the face of online business for nearly every company in the United States. These laws also impact the operations of companies from other parts of the world that have American customers.
Businesses that are not prepared for the new California laws, face significant financial risks for potential breaches. Data breaches in the past already cost many businesses dearly in fines and settlements.
Facebook is under attack for privacy violations under federal consumer protection laws. A breach of Facebook servers on the Amazon cloud exposed 540 million users’ personal information. DW reported that this resulted in $5 billion in fines for Facebook.
The U.S. Supreme Court is reviewing the Google settlement for the privacy rights violations that came from a data breach of the Google+ system. Google has to shut down Google+ over the data privacy leak.
Equifax exposed the confidential credit history and personal information of 147 million Americans. Capital One had the same troubles as Equifax with 103 million consumer account records. The settlement for damages for these breaches is in the hundreds of millions of dollars.
Pew Research Center discovered that the fall-out with consumers, caused by these huge fines and settlements, is that about half of American consumers do not trust companies with their personal information. American consumers think that many companies are doing worse with protecting confidential personal information than they were five years ago.
Consumer protection is a desperately needed regulatory effort because of the enormous amount of money being made with the valuable uses of the consumer data and the coinciding damages to consumers for misuse of their data. This information is bought, sold, and traded between companies at a hectic pace. Consumers are being tricked into giving up personal information by clicking through the disclosure screens or downloaded apps install screens to accept terms and conditions that hardly anyone ever reads.
This may be a lost cause to fight for privacy rights because they hardly exist. However, abuses and damages caused by the misuse of personal information are things that can be fought using new regulations. Avoiding extensive fines is a strong motivator for large companies that have significant risk exposure. These fines may be in the billions of dollars as the Facebook experience shows. These fines are even more damaging to smaller companies that cannot afford to pay them and the damages that they have to pay on top of the fines.
What changes come from the CCPA regulations?
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. Enforcement of violations begins six months later on July 1, 2020.
Every business, no matter where their headquarters is located, may be affected if they have customers that come from California or do business in the state. Under California laws, “doing business in the state” is a very broad definition and includes having a single business meeting or making a single sale to a California customer.
Due to the sales tax laws of California, any online or other retail sales made to a Californian resident must pay sales tax to the state and is, therefore, doing business in the state regardless of where the company is located that makes the sale.
Consumers Gain Control Over Personal Data
The CCPA regulations add new safeguards to data regarding how it is collected, stored, and used. This help consumers regain control over personal information with the ability to take action to monitor and protect confidential data in many ways that include:
- If a business wants to collect personal data, they must inform consumers of their intention to do this.
- Consumer rights improve to allow them to access their personal information that a company has collected about them. Consumers also have the right to know where the personal data originated, what purposes it will be used for, and who has access to the information.
- The new California laws give consumers the right to prevent any business from selling personal information about them to third parties.
- If a company plans to sell the personal information to third parties, a consumer must actively opt-in and give express permission that allows a company to do this with their personal information. This consumer data selling is no longer something that can be hidden in the fine print.
- Consumers have the right to opt-out and request a business to delete any confidential personal information that it has already collected about them.
- Discrimination against consumers who exercise their rights to privacy under the CCPA regulations, in the form of higher prices or refusing service, is prohibited.
Companies that Must Comply with the CCPA
The CCPA rules apply to companies that meet ANY of the following minimum criteria:
- Gross Revenues: Annual gross revenues for the company exceed $25 million. These revenues can come from anywhere and are not limited only to sales made in California. In other words, if a company exceeds this annual revenue minimum and makes a single sale to a consumer in California of any amount, the CCPA regulations apply.
- The Number of Individual Customers: If the company has the personal information of more than 50,000 individual customers that the company collects, shares, or sells. This includes non-profit organizations.
- How Revenues are Earned: If the company earns more than half of its annual revenues from selling the personal information of individual consumers.
Penalties for CCPA Violations
The International Association of Privacy Professionals (IAPP) reports that the penalties for CCPA violations are $2,500 per incident if the violation is unintentional and $7,500 per incident if the violation is intentional. These amounts may sound small at first; however, if a company, with millions of users, is found in violation of the CCPA regulations, the fines could be enormous.
For example, in California, Facebook has about 25 million users. If Facebook faced the maximum penalty for all of its Californian users, for an unintentional violation that fine could be around $62 billion. If the violation was found to be intentional, the fine could go as high as $186 billion.
The changes required under the CCPA regulations are extensive. Many businesses are not yet prepared. Businesses need to take immediate steps to implement the necessary changes. Businesses should evaluate their current data collection, storage, and usage processes, take stock of privacy controls, set up a CCPA monitoring program, and implement technology solutions to monetize data in ways that do not violate the CCPA privacy regulations.