The California Consumer Privacy Act
If your organization collects data from any California residents like most companies, then you will have to adhere to the CCPA compliance regulations. (See our CCPA compliance checklist at the end)
Recently, organizations have contended with public and government stresses to satisfy customer privacy regulations. Europe’s General Data Protection Regulation (GDPR) is one of several new privacy regulations, for one example. However now it seems that comparable regulations have made their footprint in the United States. As such, California was the first U.S. state to pass privacy regulations in 2017. The California Consumer Privacy Act (CCPA) went into effect on July 1, 2020.
What is the CCPA?
Generally speaking, the CCPA is currently the most thorough regulation of data privacy in the United States. In a nutshell, the CCPA gives California residents power over their personal information. Passed on June 28, 2018, the CCPA protects the privacy and data of consumers by giving Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information. The act requires businesses to be transparent with their consumers about what data they’re collecting. Ultimately consumers control the circulation of their personal information, and can even sue companies if their data is breached.
For more information, you can read the entire CCPA document here.
Who Does the CCPA Affect?
If you’re in California, or even if you have customers in California, then it affects your organization. And if you’re not already prepared, you’re behind; while the law passed January 1, 2020, and went into full effect on July 1, 2020. If your business serves any consumers—or website users—that are residents of California, these rights and protections will be afforded to them. California has a significant 12% of the U.S. population and a number of major tech companies with a large user base. As a result, the CCPA will more likely affect your business than not.
The CCPA specifically only applies to for-profit organizations that do business within California that also have just one of the following qualifications:
- Have an annual gross income of over $25 million
- Derive over 50% of its annual revenue by selling consumer private information
- Buy, sell, or share the PI of 50,000+ consumers, devices, or households
What are the CCPA Compliance Requirements?
The CCPA is a win for consumers, granting them more control over their own personal data. In brief, under the effect of the CCPA consumers will have the right to:
- Access Information: Californian consumers will get to know the specific “who, what, & why” to their data collection.
- Deletion of Information: Californians can request a company to delete data collected about them.
- Opt-Out: Californians can deny a company to sell their personal information to third parties.
- Sue for Security Breaches: A company affected by a security breach has 30 days to solve it, and if not, a consumer can claim between $100-$750.
- Anti-Discrimination: A consumer who acts on these rights cannot be treated differently by the company as a result.
To be compliant with these consumer rights, any affected organization must respond within 45 days of a request. It is also the organization’s responsibility to take the time and resources to validate the consumer’s identification to provide the requested information for free.
The CCPA is significantly more strict than current personal information laws passed in other states. Per Privacy Attorney Gary Kibel, “companies often comply with the strictest standard that applies to them.” As a result, many companies will likely shift in preparation for the new standards to be set by the CCPA. Even if the CCPA does not currently apply to a business now, it would be wise to prepare for the inevitable “later.” Strict privacy compliance laws are predicted to become the new normal if other U.S. states follow in California’s footsteps.
CCPA Proposed Privacy Compliance Regulations
California state attorney general Xavier Becerra announced the proposed implementing regulations of the CCPA. In short, they are as follows:
- Notice to consumers: Businesses must gain consent from users at or before the time of data collection.
- Business practices for handling consumer requests: Businesses must offer a means for users to access, request, or delete their personal data.
- Verification of requests: Businesses must be able to verify user requests.
- Special rules regarding minors: There are separate specific requirements for minors under 13 years old, and minors aged 13-16 years.
- Non-discrimination: Businesses cannot discriminate against consumers based on if said consumers exercised their data protection rights. However, businesses may offer different services that pertain to the consumer instead. This also requires calculating the value of consumer data.
Additionally, public hearings regarding the CCPA will be held throughout California in early December. Read more here.
CCPA Compliance Failure
Companies affected by the CCPA must comply, or they will face serious consequences.
CCPA Compliance Fines
The most common one is monetary fines, which can add up very quickly under CCPA. Organizations may be fined up to $7500 for each intentional violation and up to $2500 for each unintentional violation, for instance. Imagine if a business were to make even just 400 unintentional violations – that would potentially be a million-dollar fine.
Although the CCPA is relatively new, there are many companies that have already been fined significant amounts of money historically. The largest so far has been the GDPR fine to Amazon in 2021 of $877 million.
The biggest GDPR fines also include Google, which has been hit twice with GDPR fines totaling $65 million. The GDPR has fined an estimated 1,000 companies in the past 2 years with cumulative fines of $1.25 billion.
And finally, there is the risk of consumer claims. Consumers have the right to sue over a data breach (if the company cannot solve the issue within 30 days), resulting in further monetary losses.
Company Reputation
It’s not just fines and lawsuits, there’s a big reputational risk that comes with compliance failure as well. Consumers and the general public can easily lose trust in the company that gains a bad reputation for handling private information.
CCPA vs GDPR
Now that the CCPA is officially in effect, how has it compared to Europe’s GDPR? So far, it seems as though the CCPA has offered a greater compliance hurdle than the GDPR.
Due to the complexity of the act, companies still have a lot of questions in understanding exactly how they should comply. For example, what technically constitutes “selling” data. And it’s more than just adding an “opt-out” option on a website. Companies are additionally struggling with how to process data when consumers ask it to be deleted, or for more information about said personal data. See the following CCPA Compliance Checklist for more information on how to meet compliance regulations.
California Privacy Rights and Enforcement Act (CPRA)
“California citizens approved the California Privacy Rights and Enforcement Act (the CPRA), a comprehensive privacy law that amends another privacy law that went into effect in the state on January 1, the California Consumer Privacy Act (CCPA). The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.”
More information can be found here.
How Can Organizations Prepare for the CCPA?
CCPA Compliance Checklist for Preparation Infographic
So, what can you do in the meantime?
Knowing exactly where your company stores its consumer’s personal information is a great way to accommodate CCPA compliance regulations. Organizations have 45 days to validate a consumer’s identity and give them the requested information or face monetary consequences. The sooner that information is at an organization’s fingertips, the better in compliance it will be.
Identifying and classifying sensitive data allows organizations to properly store and protect it so they can comply with state and federal mandates. Penalties can either be avoided completely, or they can be reduced by having this level of classification. It truly helps companies manage and reduce their financial risk and exposure to data privacy regulations.
Here are some other tips to make your company’s transition in this CCPA Compliance Preparation Checklist:
Want to see more of our content? Follow us on LinkedIn or Twitter.
