How will the CCPA impact international companies?
California by itself is considered the world’s 5th biggest economy, ranking higher than France, the UK and Italy, with its GDP reaching $2.94 trillion in 2018. It’s hardly surprising given it’s home not only to entertainment mecca Hollywood, but also Silicon Valley, the world’s premier innovation hub and the headquarters of famous tech giants such as Google, Apple and Tesla, to name only a few.
It’s a sought after market internationally and, given its title as the innovation capital of the world, much of the business going in and out of California does so digitally. This is where the CCPA comes into play.
California’s New Consumer Privacy Law
The California Consumer Privacy Act of 2018 (CCPA) was enacted just one month after the EU’s groundbreaking General Data Protection Regulation (GDPR) came into effect, ushering in a new era for data protection legislation. Catching businesses by surprise with its hasty signature into law, the CCPA created shockwaves across not only California, but the entire US. The reason is simple: it’s the most exhaustive and consumer-friendly privacy law in the United States to date.
Under the CCPA, California consumers have, most notably, the right to opt out of the sale of their personal information to third parties, the right to request disclosures about what personal information businesses collect about them, where it’s sourced from, what it is being used for, whether it’s being disclosed or sold, and to whom it is being disclosed or sold, the right to request that their data be deleted and the right not to be discriminated against because they have chosen to exercise their rights under the CCPA.
Its strict requirements have resuscitated talks of a federal privacy law that might impose a – some hope more lenient – standard at national level. However, while talks continue over a potential federal privacy law, the CCPA is set to come into force in less than four months on 1 January 2020.
The reason international companies doing business in California should be worried is because of the CCPA’s extraterritorial reach. Much like its European cousin, the GDPR, the CCPA applies to all companies that collect personal information from consumers and do business in California for profit or for the financial benefit of shareholders and meet one of its three minimum thresholds, regardless of whether they have offices in the state or in the US for that matter.
The CCPA’s three minimum thresholds businesses must meet in order to fall under its incidence of are: they must have $25 million in annual gross revenue, buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers or derive 50 percent or more of annual revenue from selling consumers’ personal information. While this means that small businesses are largely exempt from compliance, the last two thresholds are clearly aimed at companies engaging in the sale of personal information on a large scale.
The extraterritoriality clause is tied to consumers physically located in California. Once California residents are outside state lines they are no longer protected by the CCPA: if personal information is collected about them outside of California and no part of the collection occurred in California, the CCPA does not apply.
Penalties under the CCPA
Like all companies subject to the CCPA, international organizations face fines of up to $750 per consumer per incident or actual damages, whichever is greater, but, unlike in Europe, in California they also face the threat of class action suits. The CCPA grants consumers the right to action if a company has suffered a data breach as a result of its failure to implement reasonable security measures.
While some wonder about the challenges regulators will face in enforcing the CCPA’s extraterritoriality clause, the GDPR has already tested its own in the EU: the UK’s Information Commissioner’s Office’s very first fine was issued to a Canadian company, while France’s CNIL went after bigger fish, fining California’s very own Google a whopping €50 million over its data consent policies in a landmark ruling.
Whether the CCPA winds up superseded by a federal privacy law in the future or not, international companies should prepare for the certainty of the present: the CCPA deadline is looming and the Californian legislators that passed the strict new privacy law seem just as eager as their European counterparts to ensure it is enforced to its full extent. International businesses should therefore take the necessary steps towards compliance.
Find out more about the CCPA and how to prepare for it in our handy in-depth guide.