In the past six months, three states have passed landmark data privacy laws — the California Consumer Protection Act (CCPA), Nevada’s SB 220, and Maine’s Act to Protect the Privacy of Online Consumer Information (APPOCI). Other state legislatures are also showing momentum in passing their own data privacy legislation, including Washington State, Nebraska, Virginia, and New York.
At this time, there doesn’t appear to be much movement toward a single, comprehensive federal data privacy standard. Businesses need to navigate an increasingly complex and confusing patchwork of state data privacy laws — not to mention the European Union’s General Data Protection Regulation (GDPR) requirements.
The three laws apply to businesses with different profiles, and it’s important to know which laws impact your business and what you need to do to comply. Failure to comply can result in fines of up to $5,000 per customer affected by the violation, so there are real stakes for your business to know relevant requirements.
Soliant Consulting is not a legal expert, and your business’s legal team should be involved with any discussions related to GDPR compliance. We can, however, work with you to build a system that complies with GDPR and help you flag major areas with which you will need to comply.
What Does Compliance Mean?
These three laws all exist to serve similar needs, albeit with differing levels of thoroughness and comprehensiveness. They primarily provide consumers with greater control over how organizations that process this data use their personal information, although this control varies from law to law.
CCPA, in particular, grants consumers several explicit rights, including the right to see what data a business has on them and the right to request that the business delete their personal information. Additionally, both CCPA and APPOCI expressly forbid discriminating against consumers who exercise their rights.
All of these laws are responses to a real public concern about lack of transparency in terms of what personal information businesses have about their customers and customers’ lack of agency in controlling how their data is used. These laws present businesses with an opportunity to improve the level of trust that customers have in them by providing them with information in a transparent and forthright way and collaborating with them in how personal data is used. At Soliant, we place a heavy emphasis on being a trusted advisor, and transparency and collaboration are key parts of this role.
We are happy to work with you to make the most of this opportunity to both build a system that complies with the law and reorient your relationship with customers toward trust and collaboration. This can serve as a differentiator between you and your competitors.
APPOCI: Internet Service Providers Selling with Consent
Maine’s APPOCI law was passed in 2019 and goes into effect on July 1, 2020. It focuses on giving consumers more control over their personal information by requiring Internet service providers (ISPs) to obtain consent before selling personal information.
Who It Impacts
This law applies to the narrowest set of businesses of the three laws: ISPs who process the personal information of Maine residents are impacted by this law.
What Compliance Means
This law requires that ISPs obtain affirmative consent from consumers before selling their personal information. If your business is impacted and needs to comply, we recommend considering the following:
- Make your company’s privacy practices clear at the point of sale.
- If your business sells personal information, make sure you obtain affirmative consent that this data can be sold (read: no prechecked boxes). Track this consent in your system to maintain a record of the consent.
- If a consumer opts out of having his or her personal information sold, make sure your business does not sell this data.
- Your business should not discriminate against consumers who exercise their rights by offering different tiers of service to consumers who grant consent and to those who do not.
Nevada’s SB 220: Consumers Opting Out of Data Sale
Nevada’s SB 220 was passed in May 2019 and went into effect on October 1, 2019. It applies to the broadest set of businesses of the three laws but to a narrower set of consumers than the CCPA does. The law gives consumers more control over their personal information by requiring businesses to allow their customers to opt out of the sale of their personal information.
Who It Impacts
The law applies to businesses that operate for commercial purposes, collect personal data of Nevada residents seeking to use a website or Internet service to buy or lease something, and purposefully make an effort to do business in Nevada. Note that a company does not need to be based in Nevada to do business in the state; it only needs to have customers in Nevada to face compliance requirements.
What Compliance Means
This law requires businesses to give consumers the right to opt out of the sale of their personal information. If this law applies to your business, take the following into consideration:
- Set up a designated medium to process requests to opt out of the sale of personal information, such as an email address, toll-free number, or web form on your business’s website.
- Establish a process for verifying the requestor’s identity to ensure these requests are being made by the right person.
- Establish a process for fulfilling requests promptly.
- If a consumer opts out of having her or his personal information sold, make sure your business does not sell this data.
California’s CCPA: Significant New Responsibilities
CCPA was passed in 2018 and went into effect on January 1, 2020. It is the most comprehensive and complex of the three data privacy laws and will likely have the furthest-reaching impact. The law grants California residents several explicit rights:
- Know what personal information a business has collected on them
- Opt out of the sale of their personal information
- Have their personal information deleted
- Receive equal service and pricing from a business if they exercise their other rights
Enforcement of the CCPA starts in July 2020. Watchers are anticipating large fines will be handed out to tech companies to prove the law has teeth.
Who It Impacts
Although the scope of the CCPA is quite wide-reaching, it only applies to a specific subset of businesses. Businesses that need to comply with CCPA must meet the following criteria:
- Operated for profit
- Collects California residents’ data
- Does business in California
- Has gross revenues greater than $25 million;
- Buys, receives, or sells the personal information of 50,000 or more California residents;
- Gets 50 percent or more of its revenue from selling personal information; or
- Is controlled by a business that meets one of these criteria.
Note that a business does not need to be based in or have a physical presence in California to be considered doing business in the state; it need only have customers in California to meet this criterion.
CCPA currently applies to customer data, but starting in 2021, it will also cover business to business data and employee data.
What Compliance Means
This law requires that businesses take a lot of action to comply. If this law applies to your business, we recommend considering the following steps:
- Consumers’ rights
- Your business’s data practices
- The personal information you collect
- The personal information you sell
- How to submit CCPA-associated requests
- How to designate an authorized agent to submit a request
- Who to contact for more information about privacy policies and practices
- Establish a procedure for handling CCPA requests. At least one method for submitting requests should reflect how your consumers normally interact with your business.
- Establish a process for verifying the identity of consumers looking to exercise their CCPA rights. If your business has especially sensitive personal information, a more extensive verification process may be appropriate.
- Establish a process for providing consumers with copies of the personal information that your business has on them.
- Establish a process for providing customers with the categories of data you have collected about them.
- If your business sells personal information, create a page where customers can opt out of the sale. Include a link to this page on your site.
- If your business sells personal information, establish a process for providing consumers with the categories of businesses to which you have sold their personal information.
- Establish a process for fulfilling CCPA requests promptly.
- Your business should not provide different tiers of service for customers who exercise their rights compared with customers who do not.
- Establish a process for consumers to report violations related to CCPA compliance.
- Special considerations apply if:
- Your business sells the personal information of minors
- Your business is a data broker
- You buy, receive, sell, or share personal information for four million or more consumers for commercial purposes
Mutually Reinforcing Laws
Although these three laws have significant differences, they are not mutually exclusive. Compliance with one can reinforce compliance with others. For example, a system allowing consumers to opt into the sale of their data complies with both APPOCI and SB 220. Similarly, because CCPA and SB 220 both cover the right to opt out of the sale of personal information, a system compliant with CCPA also complies with SB 220. Soliant can help you to find where these different laws overlap and design compliant solutions.
Data privacy laws represent a paradigm shift in terms of how we think about personal information and control over it. Giving consumers more control leads to customer relationships based on trust and consent. This results in them having a better experience and becoming a repeat customer. It can be a way that you can differentiate your business from the competition.
Feel free to reach out to Soliant if you’d like to make the most of this opportunity with your FileMaker, Salesforce, or open-source software system!