The purpose of the California Consumer Privacy Act of 2018 is to force changes onto enterprises that deal in personal data. The Act was passed by the California state legislature and was signed by its governor in June 2018. The bill grants consumers the right to request a business to disclose specific pieces and categories of personal information that they collect about them, the types of information sources, and the business purposes for collecting or selling the information. The bill becomes active on January 1st, 2020.
States and countries are taking consumer rights and personal data privacy more seriously.
Who is Liable for Compliance with the Consumer Privacy Act of 2018?
If your business meets these thresholds, then it is liable for compliance:
- Annually receives for business’ commercial purposes, buys, shares or sells for commercial purposes, in combination or alone, the personal information of 50,000 consumers, devices, or households.
- Derives 50% or more of its annual revenues from selling personal information of their consumers.
- Has annual gross revenues larger than $25 million.
Here are some details of the Consumer Privacy Act of 2018, both from the business and consumer standpoint.
The Business Standpoint
- The Consumer Privacy Act applies to any business that collects consumer’s personal information. It includes both large corporations (with brick-and-mortar and online stores) and smaller companies that meet the above thresholds. Even if a business doesn’t fit the monetary limit (i.e., small business with a modestly popular app or website), the Act may be applied.
- For a business to comply with this new legislation, it will need to implement new infrastructure to handle their consumer request. Also, it will need to alter their website to comply with the bill. It will increase the cost of doing business for some companies.
- Can a business charge differently based on consumers choosing to exercise their rights? There’s some confusion about that. A part of the bill says that businesses cannot charge different prices if a consumer exercised their right, but nothing seems to prevent a company from doing that. We’ll have to wait to see what will unfold over time.
- An enterprise can offer consumers an incentive for collecting, selling and deleting personal information. To achieve this, consumers would have to provide their consent (which they can revoke at any time.)
The Consumer’s Standpoint
- A consumer has the Right of Access – they can request a business that collects personal information to disclose the specific pieces and categories of personal information that the company has collected.
- Also, a consumer can exercise the Right of Deletion. They can request the business to delete any personal information it has collected.
- A consumer has the right to know to whom their personal information was sold. Businesses are obligated to release information about how and to whom they disclosed or sold the consumer’s personal information.
- The consumer gains more control over how their personal information is collected, sold, or used.
Businesses need to be prepared, as the California Consumer Privacy Act of 2018 is coming into compliance in about a year. The majority of companies will be affected by these changes in conducting business in California (and other states will inevitably follow.) Businesses can’t afford to delay their response both to the GDPR and the 2018 Consumer Privacy Act.
Contact Managed Solutions to get help in preparing for the California Consumer Privacy Act of 2018 compliance.