California leads the way with the California Consumer Privacy Act 2018 (USA)
The CCPA comes into force on 1 January 2020, but from 1 January 2019 consumers may start requesting personal data under it.
What is happening?
All businesses that serve California-based consumers and either:
- have $25m (or equivalent) in annual revenue, or
- hold data on at least 50,000 people, or
- collect more than 50% of their revenues from the sale of personal data
- will need to comply with the California Consumer Privacy Act (the CCPA).
Why does it matter?
Consumers in California will be empowered with certain rights regarding their data. Retailers should be aware of the key consumer rights included in the CCPA:
- right to know/access – businesses will need to comply with disclosure requests for information covering a 12-month period
- right to opt-out – consumers in certain circumstances will have a right to opt-out of the sale of their information
- right to deletion – consumers have the right to request that any personal information is deleted
- right to equal service – businesses are prohibited from discriminating against a consumer for exercising any rights under the CCPA
- reasonable security – retailers must implement reasonable security measures to protect against data breaches.
NOTE: The CCPA provides individuals with the ability to recover statutory damages ranging from $100-$750 per consumer per incident for data breaches
In the medium to long term, there is likely to be wider regulatory change in the USA. Reflecting the EU’s General Data Protection Regulation (GDPR), the introduction of the CCPA is a milestone in modernising the data privacy regime in the USA. Following the CCPA, two outcomes are widely speculated:
- the CCPA is still being fine-tuned by the state and there has already been one round of revisions. Other states will follow California and adopt similar GDPR-like approaches, or
- a federal-level data privacy framework will be enacted.
Either way, it is certain that we will see a more consumer-focused data privacy framework across the USA.
What action should you take?
Some retailers may be compliant with the CCPA already, by virtue of the GDPR. However, if not and your business activities fall within the scope of the CCPA you should:
- ensure you have sufficient data management systems in place to deal with disclosure requests
- review existing agreements with service providers to identify and resolve any potential gaps
- keep a close eye on state and federal-level developments to be aware of further data privacy developments more widely in the USA.