The California Consumer Privacy Act
If you collect data from any California residents, then you will have to adhere to the CCPA compliance regulations. (See our CCPA compliance checklist at the end)
Recently, organizations have contended with public and government stresses to satisfy customer privacy regulations. Europe’s General Data Protection Regulation (GDPR) is one of several new privacy regulations, for example. However now it seems that comparable regulations have made their footprint in the United States. As such, California was the first U.S. state to pass privacy regulations in 2017. The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020.
So What is the CCPA Exactly?
Privacy Compliance & Control
Overall the CCPA aims to give California residents power over their personal information. Passed on June 28, 2018, the California Consumer Privacy Act protects the privacy and data of consumers. The CCPA initiative states that it intends to “give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.” The act essentially requires businesses to be transparent with their consumers about what data they’re collecting. Ultimately consumers control the circulation of their personal information, and can even sue companies if their data is breached.
For more information, you can read the entire document here.
Who Does the CCPA Affect?
If you’re in California, or even if you have customers in California, then it affects you. And you’ll need to be ready soon; the law will be enforced beginning January 1, 2020. If your business serves any consumers—or website users—that are residents of California, these rights and protections will be afforded to them. California has a solid 12% of the U.S. population and a significant number of tech companies with a large user base. As a result, the CCPA will more likely affect your business than not.
What are the CCPA Compliance Requirements?
Overall the policy is a win for consumers, granting them more control over their own personal data. In brief, under the effect of the CCPA consumers will have the right to:
- Access Information: Californian consumers will get to know the specific “who, what, & why” to their data collection
- Deletion of Information: Californians can request a company delete data collected about them
- Opt-Out: Californians can deny a company to sell their personal information to third parties
However, this law is significantly more strict than current personal information laws passed in other states. Per Privacy Attorney Gary Kibel, “companies often comply with the strictest standard that applies to them.” As a result, many companies will likely shift in preparation for the new standards to be set by the CCPA. Even if the CCPA does not directly affect a business come January 2020, it would be wise to prepare. Strict privacy compliance laws could become the new normal if other U.S. states follow in California’s footsteps.
- Notice to consumers: Businesses must gain consent from users at or before the time of data collection.
- Business practices for handling consumer requests: Businesses must offer a means for users to access, request, or delete their personal data.
- Verification of requests: Businesses must be able to verify user requests.
- Special rules regarding minors: There are separate specific requirements for minors under 13 years old, and minors aged 13-16 years.
- Non-discrimination: Businesses cannot discriminate against consumers based on if said consumers exercised their data protection rights. However, businesses may offer different services that pertain to the consumer instead. This also requires calculating the value of consumer data.
Additionally, public hearings regarding the CCPA will be held throughout California in early December. Read more here.
CCPA vs GDPR, So Far…
Now that the CCPA is officially in effect, how has it compared to Europe’s GDPR? So far, it seems as though the CCPA has offered a greater compliance hurdle than the GDPR.
Due to the complexity of the act, companies still have a lot of questions in understanding exactly how they should comply. For example, what technically constitutes as “selling” data. And it’s more than just adding an “opt-out” option on a website. Companies are additionally struggling with how to process data when consumers ask it to be deleted, or for more information about said personal data. See the following CCPA Compliance Checklist for more information on how to meet compliance regulations.