New California CCPA Law Aims to Put Consumers in Charge of Their Data
Violating the regulations can bring stiff penalties
There are more ways than ever for contractors to get in touch with consumers. And there are more ways than ever to get in trouble for contacting consumers. Businesses need to swim through an alphabet soup of regulation when reaching out to consumers. There is the TCPA, a federal law that originally governed phone calls but now also regulates text messages. There are international laws, such as Europe’s GDPR and Canada’s DPA. Now comes the California Consumer Privacy Act, or CCPA, which went into effect this year and has many states considering similar laws.
A recent spate of scandals involving consumers’ personal data drives all this legislation. This includes high-profile data breaches involving very sensitive information, such as those at Experian and Ashley Madison, as well as legal transactions that outraged the public, such as Facebook selling data to Cambridge Analytica.
The CCPA intends to give consumers more control over their data. It allows California consumers to forbid a company from selling that data and even request that a company delete their data. Failing to comply with the law brings serious penalties. Initial non-compliance brings a fine of $7,500, and unintentional non-compliance still brings a fine of $2,500. Companies can still collect data, but they need to use more caution about how they use it.
A business falls under CCPA if 1) its annual gross revenues exceed $25 million; 2) it earns more than half of its annual revenue from selling consumers’ personal information; and/or 3) it buys or sells the personal information of 50,000 or more consumers or households.
That last criterion runs the highest risk for contractors, said Christian Auty, an attorney who specializes in data privacy compliance. The law defines information as anything that can identify an individual, either directly or indirectly. That may make 50,000 a fairly low threshold, Auty said.
It’s still better than the GDPR, which has no threshold. Auty said California attempted to lessen the burden on small businesses. Andrew Allen, chief technical officer at iMarket Solutions, said CCPA puts the control of the data in the consumers’ hands, but the assumption remains that if they fail to opt out, they are opting in.
There is also a record-keeping aspect to the law, as companies need to track how consumers responded. The original opt-out applies every time they interact with a business. This might become something contractors can outsource in the future.
“I love our contractors, but record keeping isn’t always their strong point,” Allen said.
The CCPA grants new rights to California consumers to protect and establish consumer rights:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
Figure 1: The CCPA is intended to protect consumers.
CONSUMERS, NOT COMPANIES
Just because a business isn’t physically located in California doesn’t mean they are in the clear. The law covers any qualifying company doing business with a California consumer, regardless of the business’ location. Soon it might not matter. Almost a dozen other states are considering their own privacy laws. Auty said he would prefer one national law.
“It’s one thing to have 50 state data breach laws, because a data breach isn’t an everyday occurrence,” he said. “It’s a little easier to understand who is being affected. When you have four, six, 10 competing laws governing how you’re using data on a daily basis, that becomes unworkable quickly.”
Businesses are subject to the CCPA if one or more of the following are true:
- Has gross annual revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
- As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
Figure 2: The CCPA applies only to certain businesses.
In addition to regulatory fines, the CCPA brings the risk of a class-action lawsuit. The first such lawsuit was filed in February, over a data breach. This is another way the CCPA can have a national effect. Auty said that companies have had some success arguing that consumers weren’t harmed by data breaches. The CCPA asserts that claim is false.
While trial lawyers acted right away on the class-action aspect of CCPA, how soon the state will act remains unknown. The law went into effect on Jan. 1, with enforcement set to start July 1. The California Attorney-General’s office employs more than 1,100 lawyers, but those lawyers have a lot of laws to enforce. Also, the exact regulations continue to evolve. Like many regulations, the CCPA remains vague even after becoming law. The state continues to revise the regulations and take comments on those revisions.
“It’s still the very early days,” Auty said. “Expect more change.”
Auty recommends working with vendors and making sure any contracts with them clearly define the use of consumer data. Providing these vendors with consumer data remains legal as long as it’s done correctly.
Impact on HVAC/Plumbing Clients:
Currently, the CCPA only applies to companies doing business with the residents of California that have more than $25M in annual sales or are selling personal information of consumers with a list greater than 50,000 contacts.
- a) If a Contractor does need or want to follow CCPA
- i) Provide direct confirmation and approval of cookies being installed. Technically, you can’t collect any information (like loading Google Analytics tracking) until they accept the cookies statement (you have on ACHR in fact)
- ii) Businesses must create procedures to respond to requests to “opt out” and “Do Not Sell My Info” and provide links to this effect.
- iii) Businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt out as a validly submitted opt-out request.
- iv) Businesses must then confirm the identity of the user even if they don’t maintain an account with the business.
- v) Businesses must disclose financial incentives offered in exchange for retention or sale of consumers personal information
- vi) Businesses must maintain all records of requests made.
Figure 3: Impact of CCPA on HVAC/plumbing businesses.
To Regulate or Not to Regulate
Many in the technology industry argue against the need to protect consumer data privacy through regulation. Brigham Dickinson, founder of Power Selling Pros, makes that case.
“It’s just good marketing,” Dickinson said. “A company doesn’t want to pay for advertising that doesn’t work.”
Companies want their messages to reach the right consumers, and that helps both the companies and consumers in general. Consumers who want the products will receive the message. Those who don’t will avoid being pestered. The alternative is a return to telemarketing, Dickinson said, and since people today carry their phones with them everywhere, that will prove even more annoying than ever.
Consumers worry about data collection even as they are placing devices in their homes to collect even more data about them.
“The problem with fear is that it’s an imagined future that may or may not come to pass,” Dickinson said. “And even if it does come to pass, it’s not as bad as you think.”
See more articles from this issue here!