Australia is a significant participant in the global economy, with Australian-based companies employ over 15,000 Californian residents and many selling products and services to consumers in the state. With the California Consumer Privacy Act (“CCPA”) now in effect, Australian companies need to understand whether they’re in scope, how to comply and how to position themselves as other US states consider or enact data privacy legislation. Given that the Australia Privacy Act has been on the books for a number of years, many Australian companies already have a solid data privacy footing, however those companies subject to CCPA should get familiar with the regulation so they can avoid significant financial penalties.
Who Does CCPA Affect?
- Earning annual gross revenue greater than $25 million;
- Buying, receiving, collecting, selling or sharing for commercial purposes the personal information of at least 50,000 consumers, households or devices, whether alone or in combination; or
- Deriving at least 50% of its annual revenue from the sale of consumers' personal information.
It’s important to remember that this is an “or” test, meaning that if your company only needs to exceed one of these thresholds to be in scope of the regulation.
What is Personal Information?
Personal information includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information include, but are not limited to: name, email, phone number, and IP address, among others.
CCPA applies to all categories of personal information that are collected by a business that falls within the law's scope from its customers. Under CCPA, any natural person that is resident of the state of California is considered a customer. CCPA excludes “aggregate consumer information” from personal information categories. “Aggregate consumer information” means data that is, “not linked or reasonably linkable to any consumer or household, including via a device.” Additionally, it also excludes information that is publicly available from local, state or federal records.
What Should Australian Companies Do?
If your company is subject to CCPA, you should take the following four steps to start your CCPA compliance:
2. Review your data security and privacy protocols to ensure they’re reasonable per CCPA requirements.
3. Provide a mechanism for consumers to make data subject access requests and opt out of the sale of their personal information.
4. Prepare for privacy rules in other jurisdictions where you are currently or are planning to do business (e.g., New York, Europe, Brazil, or other regions).
What Happens If My Company Doesn’t Comply?
If your company is subject to CCPA and doesn’t comply with the regulation, the financial penalties of noncompliance can be severe and crippling from both a penalty and financial resource perspective.
How Can Clym Help?
Clym provides a cost-effective, scalable and flexible platform to comply with CCPA, GDPR, APA and other laws, with plans starting at just $10/month. Contact us today about how your startup can implement Clym to help manage your data privacy regulation compliance from a global perspective.