It has been just over a year since the California Consumer Privacy Act (CCPA) went into effect. Following the precedent set by the GDPR in the first half of 2018, the CCPA aims to increase consumer data controls and protections. If your company operates in California or has a consumer base with California residents, you need to be in compliance with the CCPA.
From the outset, the CCPA aimed to improve consumer's right to privacy by increasing transparency around data collection and use. Consumers now have the right to:
Under the CCPA, consumers receive equal service in spite of their privacy choices. This complicates matters for businesses that are overly reliant on data monetization to offer free or affordable services. The CCPA also extends special protection to minors. Businesses cannot sell personal information belonging to consumers under the age of 16 unless explicitly authorized by the minor or their parent.
Your business should be compliance-ready if you (a) collect or sell the information of California residents, (b) do business in California, and (c) meet one of the following:
The legislation has a broader definition of what constitutes personal information than any other privacy law. Under CCPA, personal information refers to any detail that can identify or be associated with a particular consumer or household. This includes names and nicknames, social security numbers, addresses, passport numbers, transaction details, education and employment data, geolocation data, and also physical and behavioral attributes.
As with “personal information,” the law has a broad definition for “selling.” “Selling” refers to not just the exchange of information for money but also the sharing of personal data for business gain. A business that doesn’t seek financial compensation for sharing personal information may still find itself within the reaches of CCPA if it uses that to get “valuable consideration,” for instance.
Businesses will have to take certain steps to uphold their customers’ rights:
A significant number of businesses face great risks associated with fines by delaying their CCPA compliance-readiness. If a consumer claim is submitted to the Attorney General, unauthorized access to personal information could result in damages payments of between $100 and $750 per customer or per incident. Consumers are allowed to bring a civil action in case of certain security breaches. If a violation is not resolved within 30 days of notice, the Attorney General’s office can also sue for penalties of violation which are $2,500 and $7,500 — if found to be unintentional and intentional respectively — per record.
Besides California, which has historically been an early adopter of privacy policies, other states have been working on their own consumer protection laws. New York state has adopted the SHIELD Act, Nevada made two significant changes to its existing laws, and attempts have been made in both Washington and Texas. If you weren’t impacted by the GDPR, the CCPA is another call to get ready for a decade of consumer privacy protection regulations. For more information about IT governance and compliance, reach out to iCorps for a free consultation.