California’s GDPR: The Impact of New Privacy Regulations on Product Teams
They say what starts in California, for better or worse, has an inclination to spread to the rest of the country. This may well be true of the Golden State’s new privacy regulation - the California Consumer Privacy Act (CCPA) of 2018. This law promises to do for California consumers, and quite likely all Americans, much the same that the General Data Protection Directive (GDPR) has done in the European Union. In essence, consumers would own their personal data for the first time. This has serious implications for a wide range of companies—from technology, to services, to online media and many others—that collect personal data on customers.
When the CCPA goes into effect in January 2020, it will be the most stringent and far-reaching consumer privacy regulation in the United States. Consumers will be newly empowered to sue for data breaches, even as the state of California will have significant authority to issue fines for noncompliance. While the law applies specifically to residents of California, and only when they happen to be within the boundaries of the state, it will impact more than 500,000 U.S. businesses collecting personal data, according to the International Association of Privacy Professionals. As a product manager or product leader, you must be aware of the requirements and the effects it will have on your organization.
Your Customers’ Rights Under CCPA
Under Article 1, Section 1 of the California constitution, the right to privacy is an “inalienable” right of a free and independent people. The CCPA enshrines this right in the context of consumer data: “Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.”
The main tenets of the new regulations are that consumers have the right to:
- Know what information is collected on them
- Know to whom their information is sold or disclosed
- Forbid the sale of their personal information (the right to opt out)
- Require the business to delete their personal information upon demand
- Expect equal service or price even if they invoke their rights
The Steep Cost of Data Breaches and Noncompliance
The state of California has given the CCPA significant teeth to ensure compliance and data security. Companies have a “duty to implement and maintain reasonable security procedures and practices” in order to ensure safe handling of consumer information. Consumers who are victims of a data breach can be entitled to civil litigation of a $100 to $750 fine per incident—a figure that can quickly reach into the tens of millions of dollars or more for large security breaches. (The infamous 2014 Target data hack affected an estimated five million Californians.)
Furthermore, businesses have 45 days to respond to a consumer demand for action. The state attorney general is authorized to fine unresponsive businesses up to $7,500 per incident, again potentially reaching into the millions of dollars range for large-scale non-compliance.
The Law Probably Applies to You
It’s important to note that not all businesses are affected. However, if you are a data provider, technology company, marketing or online media business, or one of many other similar organizations that collect personal data, chances are you will have to comply. Specifically, the law applies to organizations that meet at least one of the following criteria:
- Earn at least $25 million in revenue
- Buy data on 50,000 households, individuals or devices
- Earn 50 percent or more of their annual revenue from consumer personal data
A number of specific exemptions apply, such as for health care providers and certain others. Nevertheless, in technology-centric California, a large percentage of businesses are directly impacted. Moreover, given the state’s influential role as the world’s fifth largest economy and home to one in eight U.S. residents, many non-California businesses will likely find it easier to simply adopt the new regulations across the board rather than apply a different set of standards outside of California.
Close but Not Quite GDPR
There are some important differences between CCPA and GDPR. Under the California law, companies do not have to obtain explicit consent for collecting consumer information (unless the individual is under the age of 16), nor are they necessarily required to stop collecting personal data in all instances. However, it is clear that the GDPR serves as an important inspiration for the California privacy regulation.
How to Prepare for CCPA
Despite these differences, organizations that already comply with GDPR will be better prepared for CCPA compliance in January 2020. The law is both general in some respects while including rather specific requirements in others. For instance, you must operate an 800-number for opting out, as well as provide an option on your website labelled “do not sell my personal information.”
It took over two years for GDPR to come into effect from the date it was passed into law. Even with such a long leeway, only about 40 percent of companies were ready for full GDPR compliance a few months before the law became enforceable. If there is one lesson to be learned, it is: don’t be caught off guard. You can prepare for CCPA with the following checklist.
- Talk to your legal counsel to get started.
- Determine if CCPA applies to you.
- Audit data-collection practices to identify the personal data you collect and where you store it.
- Conduct an infosec audit. Ensure that personal data is either encrypted or redacted.
- Thoroughly study CCPA to understand its specific requirements and your new obligations.
- Review (or define) your policies, roles and responsibilities for data management.
- Update your privacy policies (again).
- Consider if and where explicit opt-in requests make sense for your organization.
- Decide whether to proactively communicate your position on CCPA to customers.
- Hire a chief data protection officer.
If GDPR did not already compel you to invest in a data protection officer, now may be the time to hire one.
How Product Leaders Can Embrace CCPA
Ready or not, CCPA is coming. Rather than gnashing your teeth and complying with the bare minimum requirements, your organization may actually seize it as an opportunity to distinguish itself from competitors. Does it make sense to proactively communicate your position on CCPA and what customers can expect from you? Will your customers trust you more if they perceive you as more transparent? In a highly competitive market with little obvious product difference, maybe transparency and communication can differentiate your brand. After all, research indicates that, all else being equal, 83 percent of consumers are likely to choose the more trusted brand.
It is clear that regulators and consumers are increasingly focusing on companies’ data management practices. In this new environment, proactive product leaders can build customer goodwill, and perhaps build brand loyalty, by putting consumers first. By embracing a transparent and simple philosophy, you can take the first step towards successful CCPA readiness.
The preceding represents my best understanding of the California Consumer Privacy Act at the time of this writing. It should not be construed as legal advice. Please refer to the original text of the law and consult a qualified legal counsel for legal advice.
Looking for the latest in product and data science? Get our articles, webinars and podcasts.