Every company with distributors or customers in California affected
By Dave Rauf
Companies found in noncompliance can be fined $2,500 if the violation is unintentional and $7,500 if intentional.
Businesses operating in California—including almost every direct selling company in the domestic channel—are now required to comply with a sweeping new privacy law called the California Consumer Privacy Act (CCPA), a measure that gives consumers control of how their personal information is used online.
A first-of-its-kind law in the nation, the CCPA gives Californians certain rights over the data that companies—from Facebook and Google to Herbalife and Avon and many more—are collecting from them.
Businesses will now have to honor requests from California residents to access, delete and opt out of sharing or selling their information.
Consumers can also request a full list of all third parties with which their data is shared. In addition, the California law allows consumers to sue companies if privacy guidelines are violated.
The CCPA took effect in January, but draft regulations for enforcing the law are still being finalized at the state level. That means companies have a few months to figure out specifics as the state attorney general works to finalize rules, with enforcement expected to begin in July.
Will Miller, an attorney at firm Buchalter who specializes in direct selling compliance issues, says companies are going to have to figure out what personal information they are collecting on consumers in California. That, he says, could entail “anything that’s personally identifiable or not available publicly,” including names, addresses, phone numbers and more.
Companies will also have to look at how they are collecting the data: Is there a third-party vendor being used? If so, what type of data is being relayed to them? Is any of the data being picked up via web cookies (small files that websites place on a visitor’s computer to track and gather information)?
That’s going to require companies not only to be more conscious of what data they keep and where they keep it, but also figure out how to respond to individual requests. And with that will come a new set of challenges.
Miller says there’s myriad technical issues that could come into play, such as whether the data will be stored in a general repository or if a company will choose to aggregate the data.
“They have to accurately report back how much data they have and what they have when it’s requested by a customer,” he says. “The IT departments will be tasked with identifying and managing the data, and if you have to do that on a one-off basis for each customer it could lock up your IT department very quickly.”
He adds, “The upshot to all of this is you’re going to have a protocol for handling these types of claims and for segregating consumer data fairly easily as well as accessing back that information for a consumer who asks for it.”
The final scope of the law remains somewhat uncertain. California Attorney General Xavier Becerra published draft rules in October 2019, and a public comment period ended in December.
Final rules are expected by July 2020. The attorney general is barred from taking enforcement action against a business until then.
Here’s what is certain: The law will apply to businesses meeting any of the following criteria, which will include the vast majority of direct sellers conducting business in California:
- Has annual revenue over $25 million
- Receives information of over 50,000 consumers, households, or devices annually
- Half the annual revenue comes from selling personal information
Companies found in noncompliance can be fined $2,500 if the violation is unintentional and $7,500 if intentional. Businesses have 30 days to fix alleged violations after they have been notified of noncompliance.
What could end up being more costly for companies is the potential for class-action lawsuits in the event of a data breach. The law grants consumers a private right of action between $100 and $750 per incident. That number can increase if the actual damages exceed $750.
While privacy issues have been a hot topic at state capitols across the country, the California law may be a signal for how other states will address consumer privacy. So far, state lawmakers have embraced the CCPA blueprint: At least nine states, including New York, Maryland and Washington, have introduced privacy legislation this year.
A bill was drafted last year in a 10th state, New Jersey, but has stalled in committee. Most of those proposals follow CCPA structure and language.
“This is just the first law,” says Miller, the compliance attorney. “You can bet there will be other states that pass laws that follow the CCPA template.”
For some direct selling firms, complying with the CCPA won’t equate to a herculean undertaking, he says, because many have already taken steps to fulfill data retention and collection requirements laid out in the EU’s set of stringent data protection rules—known as General Data Protection Regulation (GDPR). These rules took effect in 2018.
“That should decrease your costs and implementation costs,” Miller says, noting that some smaller direct sellers lacking a European footprint will be playing catch-up.
Ultimately, the law—and the notion that consumers control how businesses process and sell their personal information—has been chalked up as a victory for privacy rights. But how it will play out for companies is still up in the air.
“This is a sign of the times,” says Miller. “Having companies pay more attention to consumer privacy and data, nobody would argue that’s a bad thing. But with all these laws the devil is in the enforcement. So how these laws are ultimately enforced will determine if they’re good or bad.”
Link to share this article: https://socialsellingnews.com/link/ccpa-grants-consumers-new-privacy-rights-over-personal-data-3538/