The California Consumer Privacy Act (CCPA) is legislation signed into California state law on June 28th, 2018. However, the CCPA did not officially go into effect until January 1st, 2020. It is important to note that while this law is for the consumers of California, it affects all businesses, even if they do not have a physical location in the state.
What Is the CCPA?
The CCPA is intended to provide the following rights to residents of California:
- The right to know what personal data is being collected, if that data is being sold or disclosed, and to whom.
- Retain the rights to say no to the sale of and access to personal data.
- The right to request any business to delete personal data and information about the consumer collected from that consumer and not be discriminated against for exercising their privacy rights.
Essentially, this act is designed to provide transparency and inform the consumer about what is happening to that consumer’s data.
What Is Personal Data?
According to the CCPA, personal data is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport, or any other similar identifiers. Additional identifiers outlined that refer to, relates, describes, or is capable of being associated with a particular individual, their name, signature, physical characteristics, phone number, insurance policy number, education, employment, bank information, credit information, credit or debit card numbers, other financial information, and medical information. However, publicly available information is not considered personal data under the CCPA’s definition of personal data and information.
The Differences Between the GDPR and the CCPA
In the early summer of 2018, the European Union introduced the General Data Protection Regulation (GDPR). Although the GDPR is similar to the CCPA, there are key differences that need to be brought into the spotlight. First and foremost, the GDPR has a much broader definition of the term, personal data. The CCPA only protects personal data provided specifically by the consumer and excludes information that is purchased by or acquired through a third party. The GDPR does not make this distinction and therefore refers to all personal data on a consumer. However just as in the CCPA, if the information is made public, then it is not considered personal data under GDPR.
How to Know If You Are Obligated to Comply with the CCPA
The CCPA applies to any for-profit, legal entity that meets the general criteria defined as:
- Collection of consumers’ personal data
- Determines how and why that data is being used
- Conducts any business in California, including online business
- Meets one of the following annual criteria:
- Has a gross revenue of at least $25 million.
- Collects personal data for at least 50,000 consumers, households, or devices.
- Generates 50% or more of its annual revenue from the sale of personal data.
How to Be Compliant With the CCPA
Once a business has identified if the CCPA is going to affect them, it is important to follow these steps to stay in compliance. First and foremost, businesses need to map consumer data. A great starting point is to ask the following questions. What personal data is collected and retained? How is data collected? Where and how is data stored? Is this data shared with other entities? As of January 1, 2020, California residents have the right to request this information. It is imperative for businesses to be able to provide this data accordingly to remain compliant.
Similar to when the GDPR came into the world, updating corporate privacy disclosures are a necessary step to ensure compliance. These disclosures need to inform consumers of what data is being collected and how that data is intended to be used.
The CCPA calls for a website to have a privacy link on the homepage of a website entitled, Do Not Sell My Information, which allows users to opt-out of having personal data sold. This process is encouraged to happen sooner, rather than later.
Since California residents can request information, there needs to be a clear process for handling data requests from consumers. According to the CCPA, these requests must be processed free of charge and within 45 days. These processes need to cover the following consumer inquiries:
- Request for a copy of personal data
- Request that personal data be deleted
- Enquire as to what categories of personal data are being sold on that specific consumer
- Request to opt-out of the sale of personal data of individuals 16 years of age or older
- Request to opt-in for the sale of personal data of individuals between the ages of 13 and 16
- Obtain consent from a guardian to sell personal data of consumers that are younger than 13 years of age.
California consumers now have the right to seek financial damages for breached personal data. Therefore, it is crucial for your business to have privacy and security policies in place. Consumers must be made fully aware of how any business intends to utilize personal data under these new regulations. Strengthening data security measures diminishes the likelihood of hackers obtaining consumer data illegally, leaving your company liable for financial damages from consumers.
In conclusion, even if a business currently does not fit directly under the CCPA requirements, it is wise to become compliant, as the CCPA is likely the first of many privacy acts to come.