Understanding California’s New Privacy Laws

Oct. 1, 2018
In June, California enacted what has been seen as one of the most far-reaching consumer protection privacy laws in the nation. The California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, was signed into law on June 28 by Governor Brown as a response to a growing concern that consumers need stronger means to protect their personal information.

In June, California enacted what has been seen as one of the most far-reaching consumer protection privacy laws in the nation. The California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, was signed into law on June 28 by Governor Brown as a response to a growing concern that consumers need stronger means to protect their personal information — in part due to recent data breaches as well as other privacy incidents that have affected millions.

The CCPA will impose a range of new requirements on businesses with the end goal being to ensure consumers enjoy “choice and transparency” when it comes to their personal information.

“This California Consumer Privacy Act creates important and new obligations to businesses — regardless of where they are located — that serve California residents or whose websites and mobile apps draw from California residents and collect their information,” said Chris Olson, CEO of The Media Trust, a digital vendor risk management firm.

“In the digital economy, that could be most businesses with an Internet presence,” Olson said.

For those in California, or who do business with clients and/or customers in California, this is a truly big deal, and not something any business should think they are above.

“To stay compliant, enterprise websites and mobile apps will need to provide a separate track for users who are California residents,” Olson added. “And when requested by any California-resident users, they will be required to provide within 45 days whatever types and pieces of personal information they’ve gathered. Moreover, this act makes it easier for consumers to sue companies following a data breach, so companies will need to put in place better security practices and procedures to prevent those breaches from happening, or at the very least minimize their impact.”

User Control

CCPA has already been somewhat controversial, as many critics contend it was a hastily-passed law that only came about as part of a deal brokered by the state’s Legislature and Governor as a way to avert what could have been a costly fight over a proposed ballot initiative. That proposal, which was backed by the state’s privacy activists, could have resulted in an even more stringent measure appearing before California voters in November.

As passed, CCPA grants residents in California the right: (1) to know what personal information is being collected about them; (2) to know whether their personal information is sold or otherwise disclosed and to whom; (3) to say no to the sale of their personal information; (4) to access their personal information and request deletion under certain circumstances; and (5) to receive equal service and price, even if they exercise their privacy rights.

So far, it is unclear how this will actually be enforced but those violating the law could face fines ranging from $100 to $750 per consumer per incident. More importantly, CCPA also empowers the state’s Attorney General to pursue cases against businesses for damages of up to $7,500 per violation for what has been described as “intentional violations.”

The question, of course, becomes whether all California-based businesses need to be worried about CCPA? The short answer for quick lube operators is probably not to worry, but it is something that experts say they still need to think about.

“This isn’t really bad for business,” said Michal Priem, CEO of Modern Impact, an analytics research firm. “Most honorable brands — and that includes most major national companies — typically have good intentions about how they collect consumer data.”

This data can include phone numbers and email addresses and other personal information, and CCPA is about making sure this data isn’t sold to third parties. The law also makes it clear how companies notify or contact the customers that provide that data.

“CCPA is simply about what data is being collected,” Priem said. “Consumers already have good reason to be worried about how their data is being collected and then used. What this law is really about is ensuring that consumers are given the ability to opt in or out, and about providing fair language and not a lot of legal terms consumers may not understand.”

On the surface, it might sound like most businesses might never be affected by CCPA, but as has been seen with many regulations, what starts in California has a tendency to migrate to other states.

“Given consumers’ growing wariness of data breaches and leakage, businesses only have to look to a myriad of emerging state initiatives to understand what’s coming,” Olson said. “It’s possible that the CCPA could set the stage for federal data privacy legislation if staying compliant with 50 different laws becomes too cumbersome for businesses.”

For those businesses in California, it is simply a matter of ensuring that consumers understand how their data is used.

“As we’ve seen, most national chains across industries understand this, and this is why we’re all seeing those new user agreements in our email inboxes,” Priem said. “For those smaller businesses, it is just making sure that the data is protected and not used in ways consumers don’t want. This is a law everyone should understand.”

How the European Union’s GDPR Could Affect You

CCPA may not be the only new privacy law on the books that operators should be concerned with when it comes to customer data. In May, the General Data Protection Regulations — or GDPR — went into effect in the European Union. First approved in April 2016, this new legislation has radically changed how companies can do business online, even if the company has little to no presence in Europe.

GDPR was approved in April 2016, and European authorities gave companies two years to comply with the new sweeping measures that replaced the previous Data Protection Directive in the 28-nation EU bloc. The goal of the law was to give consumers greater control of their respective personal data that is collected by companies online. This includes not only organizations that are located within the EU, but also applies to any companies outside the region if they offer goods or services to, or even have a digital footprint with, consumers in the EU bloc.

Many American businesses might not think GDPR will ever apply to them, but just because these companies don’t do business in Europe — and have maybe never visited Europe — they shouldn’t think they are in the clear.

“No, they are not,” said Chris Olson, CEO of The Media Trust. “Any business, regardless of where they are located, with an internet presence that can be accessed by EU citizens is not off the hook. Websites and mobile apps tend to collect information on visitors and users, respectively. Whether website/mobile app owners do this knowingly or through their third-party code suppliers, they will be liable for any unauthorized collection of personally identifiable information belonging to EU citizens.”

This can be quite costly — far more than the level of fines California is imposing under CCPA. Under GDPR, those companies that are not compliant face serious fines of up to 4 percent of annual global revenue or 20 million euros ($24.6 million), whichever is larger.

The other part of this is, if a shop in the United States even has customers from the EU, the issue of GDPR could come into play.

“If you have any customers who are EU citizens, whether they are visiting or working here, you might need to be concerned,” warned Michael Priem, CEO of Modern Impact.

“Even more than CCPA, this is about the collection of data,” Priem said. “This is why we’ve been seeing retailers in the United States updating their privacy policies. Many large brands have strived to become GDPR compliant.”

In many cases, experts agree that the EU probably won’t come after small mom-and-pop businesses. But now, with CCPA on the horizon in California, privacy and customer data is going to become an ever bigger issue — one that no company will be able to ignore for long.

“The best way they can avoid any unauthorized activity is to continuously scan their digital assets in real-time, so they can identify and root out bad actors,” Olson said. “Because the real problem for most website owners is that they don’t know they’re collecting information, and, in most cases, they don’t know who their third-parties are and what information their third-parties are collecting.”