It has been just over a year since the California Consumer Privacy Act (CCPA) went into effect. Following the precedent set by the GDPR in the first half of 2018, the CCPA aims to increase consumer data controls and protections. If your company operates in California or has a consumer base with California residents, you need to be in compliance with the CCPA.
Here's an In-Depth Business Guide to the California Consumer Privacy Act (CCPA):
Consumer Rights Under the CCPA
From the outset, the CCPA aimed to improve consumer's right to privacy by increasing transparency around data collection and use. Consumers now have the right to:
-
Access their personal information.
-
Refuse the sale of their personal information.
-
Know the type of information collected about them.
-
Know how their personal information is used, including whether it's sold and to whom.
-
Receive the same standard of service at the same price even after exercising their privacy rights.
Under the CCPA, consumers receive equal service in spite of their privacy choices. This complicates matters for businesses that are overly reliant on data monetization to offer free or affordable services. The CCPA also extends special protection to minors. Businesses cannot sell personal information belonging to consumers under the age of 16 unless explicitly authorized by the minor or their parent.
Does Your Business Need to Comply with the CCPA
Your business should be compliance-ready if you (a) collect or sell the information of California residents, (b) do business in California, and (c) meet one of the following:
-
You earn at least 50% of your revenue from selling consumer data.
-
You handle the personal information of 50,000 consumers and above per year, including households and devices.
-
You have an annual gross revenue above $25 million.
The legislation has a broader definition of what constitutes personal information than any other privacy law. Under CCPA, personal information refers to any detail that can identify or be associated with a particular consumer or household. This includes names and nicknames, social security numbers, addresses, passport numbers, transaction details, education and employment data, geolocation data, and also physical and behavioral attributes.
As with “personal information,” the law has a broad definition for “selling.” “Selling” refers to not just the exchange of information for money but also the sharing of personal data for business gain. A business that doesn’t seek financial compensation for sharing personal information may still find itself within the reaches of CCPA if it uses that to get “valuable consideration,” for instance.
How to Comply with the CCPA
Businesses will have to take certain steps to uphold their customers’ rights:
-
The first is to ensure users can easily request access to their data. According to the law, there should be at least two ways — one being a toll-free telephone number.
-
Customers should be granted access to their personal information within 45 days of requesting it. Unless the data is needed to track illegal activity, the business should be ready to delete upon the user’s request. If deletion impedes free speech, the data may not be deleted.
-
Businesses that sell personal information will have to warn their visitors about it and provide a conspicuous link labeled “Do Not Sell My Personal Information” to allow them to opt-out.
A significant number of businesses face great risks associated with fines by delaying their CCPA compliance-readiness. If a consumer claim is submitted to the Attorney General, unauthorized access to personal information could result in damages payments of between $100 and $750 per customer or per incident. Consumers are allowed to bring a civil action in case of certain security breaches. If a violation is not resolved within 30 days of notice, the Attorney General’s office can also sue for penalties of violation which are $2,500 and $7,500 — if found to be unintentional and intentional respectively — per record.
Besides California, which has historically been an early adopter of privacy policies, other states have been working on their own consumer protection laws. New York state has adopted the SHIELD Act, Nevada made two significant changes to its existing laws, and attempts have been made in both Washington and Texas. If you weren’t impacted by the GDPR, the CCPA is another call to get ready for a decade of consumer privacy protection regulations. For more information about IT governance and compliance, reach out to iCorps for a free consultation.