Over the past five years the number of businesses that have had their consumer data breached has skyrocketed – billions of private email addresses, bankcard numbers and other deeply personal data points exposed online and now in the hands of hackers. It’s not overly surprising that 75% of consumers believe that companies do not take the protection and security of their data very seriously. From UK British Airways-owner IAG, Equifax, Marriott, Uber, even the US Department of Health and Human Services all have experienced high-profile consumer data breeches. And giants like Google and Facebook continuously come under severe scrutiny for its lacking of transparency when it comes to how it collects and handles personalized data.
In the era of personalization and the consumerization of personal consumer data local governments and legal bodies are beginning to create and enact consumer data protection laws. The European Union was the first to introduce its GPDR legislation back in May 2016 – a set of rules designed to give EU citizens more control over their personal data.
California, has now become the first US state to follow their lead, introducing its own consumer protection law to protect the privacy of California consumers. California Consumer Privacy Act, or CCPA for short, takes effect on January 1 2020. Similar to the European Union’s General Data Protection Regulation (GDPR), the CCPA is meant to address consumer data privacy rights for California residents – businesses that don’t comply with the mandates by July 1 will face stiff fines.
What is all it about? The CCPA requires businesses to tell consumers what categories of information they are collecting, what sources they are using to get the information, and what they are going to use it for. The scope of personal information covers anything that can be associated with an individual from financial, medical information to internet activity, IP addresses and even inferences that are drawn from the data. Anything that can be associated with or identifies an individual could be covered. Businesses will also have to reveal what types of 3rd parties they share information with. In short, with this law business now need to significantly more transparent in regard to how they collect, use and disclose personal information of their customers.
Not only that but the CCPA law also gives the consumers the right to request – free of charge – what personal information they hold and how is used. Business have 45 days to comply, though that can be extended to 90 days. Uniquely, the consumer also has the right to ask a business to delete information about them and that the business has to tell the consumer that they have that right. When a business gets a verified request to delete a consumer’s personal information, they will have to delete it. Those that don’t play by new rules could potentially face millions of dollars in penalties.
While the GPDR is much harsher in terms of fines – 4% of annual global turnover or €20 million – whichever is greater – for organizations that infringe its requirements – the maximum penalty of the CCPA is $7,500 and is reserved for only intentional violations of the CCPA. Other violations lacking intent remain subject to the pre-set $2,500 maximum fine. The largest financial impact on businesses is the CCPA’s provisioning of the right of consumers to bring lawsuits to light. These situations may arise from instances where their “non-encrypted or non-redacted personal information” is breached, regardless of the harm done to the data. Under the CCPA, consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive even more.
So, who exactly needs to comply? The law will apply to a business if it, or an entity it controls or that controls it, collects or receives personal information from California residents, either directly or indirectly, and meets one or more of the following criteria:
- Has annual gross revenue that exceeds $25 million
- Annually receives, buys, sells or shares directly or indirectly the personal information of 50,000 or more California residents, households or devices
- Half or more of its annual revenue comes from the sale of personal information about California consumers
An important, if not significant nuance to the law that all business should make themselves aware of is that this expansive act does not limit itself to companies that are headquartered in California. Rather the law is designed to give consumers more control over their personal information and will reach beyond California’s borders and applies to any company that does business in the state of California. So even if your for-profit SMB isn’t located in the Golden State, you may not be off the hook when it comes to compliance.
What should a business or restaurant do to get ready? The first step any business should take is to find out what information it is recording, who in the company stores the information, and what the restaurant is doing with the information. Then you need to scrutinize and update your data security operations. A good place to find a framework for dealing with data and data breaches can be found on the National Institute of Standards and Technology or the National Restaurant Association website.
It’s also important for restaurants to create procedures for consumers to choose whether or not their information is shared with third parties. Companies can also create or update data-use disclosures so that they have something to give customers when they ask about how their personal information is being used. If a restaurant already has a good handle on their cybersecurity and has all the paperwork in order, the CCPA should be only a small addition to the workload.
However, even if your restaurant is not directly affected by the California Consumer Privacy Act, it’s only a matter of time before privacy regulations will affect your business. As the U.S. government has yet to implement any federal privacy law similar to Europe’s General Data Protection Regulation (GDPR), individual states have begun to craft their own measures, like what we have seen in California – and many states are using the CCPA as a template to draw up their own laws.
When enacted, California’s privacy act will be one of the most restrictive bills of its kind in the nation and likely will impact tens of thousands of businesses worldwide that collect California consumers’ personal information. Businesses and restaurateurs need to make sure they are abiding by the law as it makes far more financial sense than getting hit for noncompliance.