Originally Published: September 11, 2019 | Updated: December 4, 2019
By now you’ve heard of the General Data Protection Regulation also know as “GDPR” that passed in the European Union in 2016 and went into effect in 2018. GDPR compliance applies to any company that does business with online users in the European Union, whether or not they are EU residents.
But did you know that there are data privacy laws like this in the United States? And even more so, state laws that are more specific and stringent.
If you do business in the United States (namely California) – you’ll want to keep reading.
State-specific laws in the United States apply to any company (defined by the state) doing business with residents of those particular states. Additionally, compliance with GDPR doesn’t mean compliance with these state-specific laws.
The most notable state law is the California Consumer Privacy Act (CCPA) passed in 2018, which goes into effect January 1, 2020, granting California residents the rights to:
- Know the business’s data collection practices
- Receive a copy of their personal information collected in the last 12 months and receive it within 45 days
- Have such information deleted
- Know the business’ data sale practices and to request that their personal information not be sold to third parties
- To not be discriminated against based on exercising these rights
Note that this law grants rights to California residents (defined by income tax filings), making the scope narrower than that of GDPR. To learn more about the CCPA specifics, read more here.
Additional to the California resident stipulation, this law only applies to for-profit companies that check off one of these requirements:
- Earn +$25 million in annual gross revenue
- Process personal data of +50,000 California residents
- Profit +50% of its revenue from the sale of California residents’ data
While GDPR fines are astronomically higher than the CCPA’s, the penalties are still worth noting. First, the Attorney General must provide 30 days’ prior notice of noncompliance before taking action or fining businesses. Then the fines begin.
According to the following provisions, penalties are currently on a per violation basis without a defined maximum:
- Fines for companies are $2,500 per violation (and $7,500 for willful violations)
- Fine for individuals are $100 to $750 per violation
Businesses must update their website to include:
- New California rights and how to exercise them must be disclosed.
- Websites must disclose:
- Categories of information collected
- Sources of information
- Categories of information sold and shared for business purposes
- There must also be a link in the footer of the homepage titled “Do Not Sell My Personal Information,” that leads users to an opt-out page.
- This update must be posted by January 1, 2020, and updated annually.
- Companies will be required to stop selling people’s data upon their request at any time.
If you’re a business using Google Products like Google Analytics, Google is taking the brunt of protecting you.
In a recent article Google published, “restricted data processing” is their way of combating CCPA, which restricts the way unique identifiers and other data points are collected and processed.
Below is a list of Google products that are already using restricted data processing.
- Ads Data Hub
- Audience Partner API (formerly known as DoubleClick Data Platform)
- Authorized Buyers
- Campaign Manager (formerly known as DoubleClick Campaign Manager)
- Display & Video 360 (formerly known as DoubleClick Bid Manager)
- Funding Choices
- Google Ads Customer Match (formerly known as AdWords Customer Match)
- Google Ads Store sales (direct upload) (formerly known as AdWords Store sales (direct upload))
- Google Analytics, Analytics 360, and Analytics for Firebase*
- Google Customer Reviews
- Google Data Studio
- Google Opinion Rewards for Publishers
- Google Optimize, Google Optimize 360
- Google Tag Manager, Google Tag Manager 360
- Open Bidding Buyers (including products formerly known as Exchange Bidding and Network Bidding)
- Search Ads 360 (formerly known as DoubleClick Search)
- Waze Ads
*For Google Analytics, make sure to accept the data processing amendment in the GA Account Settings after discussing it with your legal team.
Below is a list of Google products that require action to use restricted data processing.
For the latest updates on GDPR and state-specific laws related to data privacy, subscribe to Seer’s blog. And to learn more about what Seer’s Analytics team can do for you, contact us below.