California became the first state that decided to tame the chaos of regulations. It standardized them into 15 pages of succinct text. It is much shorter if we compare it to hundreds of pages of GDPR. Still, CCPA is more practical and easier to grasp.
What businesses will be eligible?
The subject of CCPA compliance covers only individual shares of companies. These companies process personal data of California residents (both outside and inside the state):
- The business should generate a minimum of $25 million annual revenue
- Those businesses that gain less than $25 million yearly income will be compliant only if they yearly sell personal data of more than 50 thousand people of California
- If the business obtains 50% or more revenue from the data classified by GDPR as personal
One of the most critical questions is: What can be regarded as personal data? Identifiers of various nature, biometrics, geolocation, history of activity on the Internet, information about employment, or level of education can be considered private. As well, any pseudonymous data (IP, OS, device, etc.), based on which companies can classify the user, or complete their user portraits or psychological characteristics, is defined by the regulation as personal.
Why CCPA will change the way businesses work
The notion of personal data under CCPA data regulation is truly broad. Additionally, almost every international company has information that belongs to Californians, and even more so of Europeans. In regard to this, together, GDPR and CCPA will reform the operation of myriads of small and medium-sized businesses all over the world.
Even though regulation enactment is looming close, the adoption process doesn’t show incredible dynamics. In this, it isn’t different from last year’s GDPR trend, when only 48.7% of businesses managed to abide by the deadline.
CCPA regulation makes it all the more dramatic. The Eset Survey, held on August 05, 2019, shows spreading confusion about upcoming CCPA regulations among businesses. Thus, only 11.8% of companies are preparing for CCPA. More than 44.2% never heard of the regulation. The rest, – 34% – don’t know if they are eligible at all.
At this stage, it is also essential to understand the specifics of CCPA and access possible risks of delayed compliance. If GDPR obliges companies to obtain user consent prior to personal data collection, CCPA makes companies satisfy only incoming user requests that should be executed within 45 days.
If the user sends a complaint to the company about personal data violation, and it is not resolved in 45 days, the company will be fined 7.5 thousand dollars per case. The data breach is not the only incident on the list of possible penalties. If the user discovers that the company used their personal data – e.g., for advertising personalization against their permission – they will probably want to sue it.
Sure, the Californian government will revise and modify the number of fines in the future. In any case (taking into account all additional technical and legal costs), CCPA may pose damage to companies that don’t manage to comply in time.
CCPA regulation and ad tech
Digital business, like advertising, involves data at every stage of functioning. Starting from segmentation, campaign personalization, and ending with marketing analysis and beyond. The new obligations imposed by CCPA on businesses may turn very challenging for ad tech companies. They almost entirely depend on multilayered data sets. Plus, their partnership networks are complex and interconnected.
Every user will have the right to revoke his/her consent. So, companies, as well as data controllers, will have to develop working mechanisms to execute these rights upon request.
It will be necessary for ad platforms to prove and justify why they need to process personal data of Californians. It will be a must to make sure that vendors who take part in further processing are also CCPA-compliant.
For all those companies that can’t keep up, the only way to prevent undesirable consequences will be closing the California branch. CCPA also obliged companies to make the option “don’t sell my data” visible and available on their websites.
As a result, third-party (purchased and sold) data share will shrink as users will prohibit it. In such circumstances, first-party data (collected personally) will gain more significance. Advertising algorithms soon might be re-built accordingly to meet this new market request.
In the end, such transformations will make the advertising ecosystem more open and transparent. Ad market participants that adopt new standards first will appear as most trustworthy to California customers who like justice probably as much as they like to sue.
What we can learn from GDPR enforcement tracker: dozens of companies were fined last year because they failed to comply. Many of those simply didn’t interpret the legal framework properly. That’s why organize preparation beforehand, while you still have time for experiments and mistakes.
The right way to CCPA compliance
You’ll need to determine what kind of information you collect and whether or not it can be considered personal data. If you have personal data of Californians, be sure you have a definite purpose for collecting it. Store, transfer or sell it in accordance with CCPA requirements. Launch an internal record of the data that you collect and requests from customers that you receive.
If third-party platforms have access to your technologies (including software), make sure you know what data they may collect. Revise your existing partners for CCPA compliance, and if they’re not ready to embrace new regulation, it is a good sign you need to start looking for more reliable collaborators.
Introduce information security standards, such as ISO 27001 or NIST or CIS frameworks. They confirm that your company has built a robust risk management system, business, and technical processes and management in accordance with international standards.
The last word
CCPA is the first step towards a completely new interpretation of data security in the U.S. It is the most sustainable modification of practices that, for many years, were considered basic and unchangeable. It will impact the operation of small and medium-sized companies, but if you prepare well, the adoption process certainly won’t be harder than one with GDPR.
In a progressive democratic society, customer rights are priority number one, and if you understand it today, your company will appear transparent and trustworthy in all business communications tomorrow.