California's new privacy legislation - what you need to know about the CCPA

Two years ago, around this time, we wrote our first post in a series leading up to the European transition to the General Data Protection Regulation (GDPR). The GDPR went into effect in the spring of 2018 and transformed the way many businesses worldwide conduct themselves when it comes to protecting individual privacy online. 

GDPR compliance became a priority for any organization handling the personal data of EU consumers. For some organizations, it required substantial changes as a result of individuals gaining greater control over their personal data.

We’re now fast approaching another landmark in privacy legislation. This one is the California Consumer Privacy Act (CCPA) that will go into effect Jan. 1, 2020, with enforcement beginning in July. Because Hushmail went above and beyond in meeting the GDPR requirements, we are well prepared and will be compliant with the new legislation. 

However, businesses that didn’t need to concern themselves with the GDPR may have to put some effort into complying with the CCPA. Even if you aren’t directly affected by the law, it’s a good idea to take note; the CCPA is likely the precursor to other US state privacy laws and is also fueling the conversation, which started with the GDPR, about implementing federal legislation.

Today, we’re going to take a look at some of the requirements of the CCPA, how it will affect businesses in 2020, and what it means for the ongoing global effort to protect individuals’ personal data.

What is the CCPA meant to accomplish?

The CCPA gives California residents clearly defined rights when it comes to their personal data. These rights can be broken down into a few categories. If you’re familiar with GDPR regulations, these will likely sound familiar to you. 

Ownership. Individuals will know what type of personal data is collected, when the data is collected, where it’s stored, how it’s used – for what purpose and by whom.

Control. Individuals will be able to review, change, delete, and opt out of the sale of their personal data at any time.

Non-discrimination. Individuals have the right to exercise their privacy rights without fear of discrimination in the form of changes to terms of price or service. 

What businesses will be affected?

Organizations that conduct business online with California residents and that meet one of the following three criteria will be required to comply with the CCPA.

• Gross annual revenues in excess of $25 million
• Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices
• Derives 50 percent or more of annual revenues from selling consumers’ personal information

What will businesses be required to do?

Businesses will need to put procedures in place to ensure the above rights. This will mean detailed notifications when data is collected as well as an easy way for consumers to control their data and opt out of data sales. 

In addition, there’s a substantial record-keeping component to the CCPA, and it also requires businesses to fix security vulnerabilities. 

If you’d like to learn more about these and other CCPA requirements, take a look at this CCPA fact sheet for a good overview of the legislation. 

What does the CCPA mean for individual privacy?

The CCPA is notable because, while the European Union and Canada have put in place substantial laws to protect the personal data of individuals, the US has lagged behind with no federal law and only a few state laws with limited effect. 

Although several other US states such as Nevada and Maine have privacy laws, and there are numerous industry-specific laws regarding privacy such as HIPAA, the CCPA is the first of its kind in scope and similarity to the GDPR. Also, coming from the fifth largest economy in the world, the California law will have a significant impact on businesses around the globe. 

With its considerable requirements and the possibility of other states following suit (and the compliance difficulties that could result from so many different laws), the CCPA could serve as a powerful catalyst for a federal privacy law.  

Hushmail is prepared

The efforts we made with respect to the GDPR compliance standards have set us up for seamless compliance with the CCPA, so Hushmail will be CCPA-compliant when it goes into effect on January 1, 2020. As a company that conducts business with customers all over the world, it behooves us to be proactive when it comes to any privacy regulation. Privacy, after all, is the foundation of everything we do here at Hushmail. 

Want to learn more?

If you’d like to learn more about the CCPA and what you can do to ensure your business is compliant, check out the following resources:

• CCPA website
• CCPA fact sheet

Tell us what you think 

Do you think the CCPA could lead to a federal privacy law? Or will additional state laws create compliance challenges for businesses? Tell us what you think. Connect with us on Twitter or Facebook and join the conversation about Califonia’s new privacy legislation.