In the US, we often notice that what starts in California will eventually spread to the rest of the country. Whether it's related to fashion, culture or legal issues, if it starts in the golden state there's a good chance it will spread east in the US. Think about blue jeans and the modern-day plastic hula hoop as just two examples.
With that in mind, it came as no surprise when, on June 28, 2018, California Governor Jerry Brown signed into law another "first" – the most comprehensive (and the first statewide) consumer privacy law in the United States, known as the California Consumer Privacy Act (CCPA). Effective in 2020, the law will apply to any for-profit business that collects California residents’ personal information, does business in the State of California, and: (a) has annual gross revenues in excess of $25 million; or (b) buys, sells, receives or shares for a commercial purpose the personal information of 50,000 or more California residents, households or devices annually; or (c) derives 50 percent or more of annual revenues from selling California residents’ personal information.
And what about recourse? Consumers may be able to sue for up to $750 for each violation, while the state attorney general can sue for intentional violations of privacy at up to $7,500 each. For both consumer and state lawsuits, companies must be given 30 days to fix the problem.
With California’s population at an estimated 40 million people, it's hard to think of many companies that won’t be impacted by this law.
What is personal data?
From an AAF.org summary: "The CCPA broadly defines the term "personal information" as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." As you can imagine, in this digital age numerous data points will be affected by the CCPA definition of personal information. And to make it even more daunting – companies only have until January 2020 to have their house in order to meet this regulation.What are some of the rights under the new law?
The new law will give residents the right to:
- Ask for the business reason for collecting their information.
- Know all the data that a business has collected about them.
- Refuse the sale of their data/information.
- Delete the data a company has about them.
- Agree to a mandated opt-in before the sale of children’s information (under the age of 16).
- Know the categories of third parties with whom their data is shared.
Some have questioned this new law, wondering if it was passed as a mid-term “stunt” to sway the favor of voters, and whether individuals really care that much about how companies are processing their data. A recent survey from SAS, however, sheds light on Americans' views toward data privacy.
The survey says?
A 2018 SAS survey of 525 US adult consumers reveals big concerns about data privacy. In the wake of recent data scandals and the implementation of the General Data Protection Regulation (GDPR) in the EU, US consumers are increasingly worried about their personal data privacy. We asked Americans how concerned they were, how that affected their behaviors and trust of companies, and what should be done about it. Here's a summary:
- 73% said concern over the privacy of their personal data has increased in the past few years.
- 66% have taken steps to secure their data, like changing privacy settings, removing a social media account or declining terms of agreement.
- 67% of US consumers think the government should do more to protect data privacy.
What they would like to see done:
- 83% would like the right to tell an organization not to share or sell their personal information.
- 80% want the right to know where and to whom their data is being sold.
- 73% would like the right to ask an organization how their data is being used.
- 64% would like the right to have their data deleted or erased.
As you can surmise, the results from the survey are very much in line with the CCPA guidance. And keep in mind, the survey included individuals from around the country, not just those in California. The privacy wave is coming.
Now what?
Similar to what organizations encountered with the EU General Data Protection Regulation, companies in the US are now scrambling to figure out how to tackle the CCPA. They're asking questions like: What technology should we use, do we have the right experts in-house, and who should be in charge?
Based on our work with companies affected by the European laws, SAS has developed best practices for personal data protection. Here are some of the things we've learned:
- IT alone should not be in charge of data privacy; it must involve every department that works with personal data.
- A culture of data privacy must be established. Every employee must understand their role in securing the data privacy of their customers, and how to best accomplish this.
- Companies must evaluate their current data governance structure and make all data privacy endeavors part of data governance rather than having separate data governance programs.
- All technology considerations must take into account – at the minimum – data access, data quality, data governance and auditing capabilities.
Every company is different, and the path to privacy compliance will vary. But one thing is true across the board: Companies need to act now. The government is taking notice, your customers care, and fines and potential loss of reputation are on the line.
To learn more about our survey results, download the report – Data Privacy: Are You Concerned?