Recently, California's Consumer Privacy Act went into effect, introducing new legislation on consumer data privacy and online rights. To learn more about the potential implications for businesses operating in California, read our article.
In the digitally driven world we live in, many individuals feel like they have less and less control over their personal data. When most of us log in to a new device or install an app, the first thing we see is a flurry of notifications asking for permissions to our data. In the last few years, consumer pushback against business data collection has increased in response to several large organizational data breaches, resulting in legislative changes.
Recently, California's California Consumer Privacy Act (CCPA) went into effect to help safeguard consumer rights and place regulations on businesses for how they address customer data and online privacy. Understanding this new piece of legislation is critical for any business that operates or has customers in California.
The California Consumer Privacy Act was signed on June 28, 2018 by Governer Brown, but was enforced starting July 2020. This groundbreaking law is the first of its kind in the U.S to directly legislate consumer privacy rights online. Under the CCPA guidelines, businesses must respect certain clearly outlined consumer rights to avoid regulatory fines or potential lawsuits.
The CCPA applies to for-profit businesses that do business in California and meet any of the following criteria:
Yes. The CCPA guidelines state that if you do business with customers in the state of California, you must comply.
If your business serves California residents, you must comply with the following:
Dylan added several golf clubs to his online shopping cart over the last few weeks. Dicks Sporting Goods, the seller used cart behavior and clickthrough data to infer that Dylan may be interested in other golf equipment and categorized him as a “ready to buy” customer for marketing follow-up. Under the CCPA, Dicks Sporting Goods must fulfill Dylan’s request to access his consumer profile and see how the data was collected.
How can businesses notify customer about data collection?
Businesses may notify consumers by including a disclaimer in the footer or at the bottom of your website or using a pop-up alert.
How can businesses notify customers about data deletion?
Under the CCPA, businesses are given 45 days to respond to any customer who requests to see their data profile or have their information deleted. The CCPA also requires that businesses have a part of their website where customers can file any data-related requests.
Under the CCPA, there are a handful of exceptions to the right to delete that a business can claim. Deletion is not required if:
Enforcement of the CCPA currently falls in the jurisdiction of the California Attorney General. Penalties for violating the CCPA may include hefty fines of up to $7500 per violation or up to $750 per customer affected. Under the CCPA, consumers are also encouraged to take individual legal action if they think that their consumer rights are being deliberately violated.
Cyber Liability Insurance enables your company to protect against first- and third-party cyber-attacks. This includes breach notification, legal defense costs, and system disruption in the event of a cyber-attack. A good Cyber Liability policy covers virtually every aspect of total cyber exposure. You can purchase a Cyber Liability policy online from Zeguro and adjust limits with them to suit your needs. Once it binds, it stays in effect for the rest of the policy term.
In light of California’s Consumer Privacy Act going into effect, other states have followed suit. A few days ago, Virginia passed its own comprehensive privacy law called the CDPA (Customer Data Protection Act), joining California as the second state to do so. The act draws inspiration from both the California Consumer Privacy Act (CCPA) and a new proposed Privacy Act in Washington. The act has very similar provisions and penalties to the CCPA and primarily applies to companies and individuals conducting business within the Commonwealth of Virginia or those who manufacture or provide goods or services to Virginia residents.
The passage of both the CCPA and CDPA reflects changing sentiment surrounding consumer privacy and data protection. Business owners can expect other states around the U.S to start considering similar legislation.