00:06
Adam Stofsky
Shannon, can you explain what is the CCPA and just some key features of it as a law?
00:14
Shannon Yavorsky
Sure thing. So the CCPA is the California Consumer Privacy Act and it is the first omnibus state privacy law in the US. And it applies to for profit businesses that meet one of three criteria. First, they have to be doing business in California, but then they have to meet one of three criteria. So they have to have revenue in excess of $25 million. They have to receive, disclose, or share the data of 100,000 or more California residents, or they have to derive at least 50% or more of their revenue from the sale of personal information. So that's who the CCPA applies to in terms of the core features of the law.
01:05
Shannon Yavorsky
It really was the first law in the US to take this consumer rights based approach to privacy and gives people the right to access their data, to know what data an organization holds about them. It allows people to ask for their data to be deleted. So you can go to a company and say, I want you to delete all the information you have about me. It allows people to ask, for example, for their data to be corrected, which is kind of crazy that wasn't a right before, but now you can officially ask for an organization to correct your address or other information that they hold about you. So that's really like the main consumer rights features of the CCPA.
01:51
Shannon Yavorsky
The other important parts of the CCPA are the obligation to put in place a privacy notice that describes your information collection and use practices in great detail. So there are lots of different privacy notice requirements under the CCPA, and that's a big part of the law, is the privacy notice, then the individual rights, it has a training obligation. So you have to ensure that people who are respond within the organization that are tasked with responding to a consumer's request have been trained on how to do it and how to comply in a compliant manner. So those are probably what I think of as the core features of the law. And obviously, for non compliance, there can be pretty significant penalties, fines for violations, which include $2,500 for unintentional and $7,500 for intentional violations of the act.
02:58
Shannon Yavorsky
So you can see there be circumstances where this could really add up.
03:03
Adam Stofsky
So that's like per violation, meaning person's information mishandled, in other words.
03:13
Shannon Yavorsky
Yeah, that's exactly right. Yeah. So you could see in a scenario where that could really amount to a significant fine. And last year, the California AG settled with a company with Sephora for $1.2 million for violations of the CCPA. So I think it's worth pointing out that there is teeth in this law.
03:38
Adam Stofsky
One question that might be on a lot of people's minds, I know it's on mine, is this kind of revenue and number of people requirement. Right? So unlike other laws that don't have this requirement. The CCBA is kind of designed for larger companies. How is that counted? How do you know if you have well, $25 million in revenue is probably easy enough, but how do you know if you even have customers in California? What does that mean? If you have someone buy something on your e commerce site that's based in Chicago, but they live in California, like, do they count?
04:12
Shannon Yavorsky
That's a great point. I think there are lots of different ways to look at that data. A lot of our clients look at how significant their presence in California is, and then you can look at someone's IP address and determine whether they're coming from California. But I hear you that sometimes it's perhaps a little bit more of an art than a science trying to figure out, do we meet the threshold here?
04:41
Adam Stofsky
Okay, I'm going to ask you one more question on this. It's probably too big a question, but I'm going to try, which is you said that the CCPA was the first omnibus privacy law in the US. But it's just a California law. Can you kind of contextualize this for most companies? Is it kind of like de facto like a national law? Because California is so big? How does this fit in this sort of world of just thinking about privacy as a US. Company or a company operating in the US. Generally?
05:11
Shannon Yavorsky
Yeah, it's a really good question before the CCPA. It's not to say that there weren't privacy laws. There certainly are and have been for a long time. There's HIPAA that applies to health data and Kappa that applies to children's data. But there was never an omnibus law that applied to all consumer data. And the CCPA really ushered in a new period of privacy legislation. And to your point, a lot of companies do business in California and meet one of those three thresholds. So it was really a big step for organizations to have to comply with this law. And many companies that are even outside of California but have a lot of employees or a lot of consumer data from people located in California, it definitely was an inflection point for US. Privacy legislation when the CCPA went into effect.
06:12
Adam Stofsky
Is it fair to say that the CCPA is kind of a de facto national law now, or is that overstating?
06:20
Shannon Yavorsky
It maybe a little bit of an overstatement.
06:24
Shannon Yavorsky
So the CCPA has been copied, not verbatim, but there are 13 other states that have implemented state privacy laws that.
06:34
Shannon Yavorsky
Look a lot like the CCPA. Just a couple that are in force right now virginia, Colorado, Connecticut. December 2023, we're going to have Utah.
06:46
Shannon Yavorsky
And then a number of other states.
06:48
Shannon Yavorsky
That have laws that are going to go into effect in the next two, three years, and then a lot of states that are thinking through what they want their law to look like. So we're in this place where there's this incredibly varied patchwork of state privacy laws that look a lot like the CCPA, but they're not identical. They have slight differences. So it's a little bit challenging for organizations who operate across multiple states to figure out, okay, well, we did CCPA. Now what do we have to do for Utah? Are there fundamental differences? Are there other steps that we have to take to make sure that we're complying with these new laws? Or how do we develop a program that it's going to help scale to these new laws as they roll on in the coming years?
07:37
Adam Stofsky
Okay, great. Thank you so much, Shannon, for that super quick CCPA crash course. Much appreciated.