The California Consumer Privacy Act
If you collect data from any California residents then, like most companies, you will have to adhere to the CCPA compliance regulations. (See our CCPA compliance checklist at the end)
Recently, organizations have contended with public and government stresses to satisfy customer privacy regulations. Europe’s General Data Protection Regulation (GDPR) is one of several new privacy regulations, for example. However now it seems that comparable regulations have made their footprint in the United States. As such, California was the first U.S. state to pass privacy regulations in 2017. The California Consumer Privacy Act (CCPA) goes into effect on July 1, 2020.
So What is the CCPA Exactly?
Privacy Compliance & Control
In general, the CCPA is currently the most thorough regulation of data privacy in the US. Overall the CCPA aims to give California residents power over their personal information. Passed on June 28, 2018, the California Consumer Privacy Act protects the privacy and data of consumers. The CCPA initiative states that it intends to “give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.” The act essentially requires businesses to be transparent with their consumers about what data they’re collecting. Ultimately consumers control the circulation of their personal information, and can even sue companies if their data is breached.
For more information, you can read the entire document here.
Who Does the CCPA Affect?
If you’re in California, or even if you have customers in California, then it affects you. And you’ll need to be ready soon; while the law passed January 1, 2020, it doesn’t go into full effect until July 1, 2020. If your business serves any consumers—or website users—that are residents of California, these rights and protections will be afforded to them. California has a solid 12% of the U.S. population and a significant number of tech companies with a large user base. As a result, the CCPA will more likely affect your business than not.
Specifically, the CCPA only applies to for-profit organizations that do business within California that also have just one of the following qualifications:
- Have an annual gross income of over $25 million
- Derive over 50% of its annual revenue by selling consumer private information
- Buy, sell, or share the PI of 50,000+ consumers, devices, or households
CCPA Compliance Grace Period – January 2021
What are the CCPA Compliance Requirements?
Overall the policy is a win for consumers, granting them more control over their own personal data. In brief, under the effect of the CCPA consumers will have the right to:
- Access Information: Californian consumers will get to know the specific “who, what, & why” to their data collection.
- Deletion of Information: Californians can request a company to delete data collected about them.
- Opt-Out: Californians can deny a company to sell their personal information to third parties.
- Sue for Security Breaches: A company affected by a security breach has 30 days to solve it, and if not, a consumer can claim between $100-$750.
- Anti-Discrimination: A consumer who acts on these rights cannot be treated differently by the company as a result.
To be compliant with these consumer rights, any affected organization must respond within 45 days of a request. It is also the organization’s responsibility to take the time and resources to validate the consumer’s identification to provide the requested information for free.
The CCPA is significantly more strict than current personal information laws passed in other states. Per Privacy Attorney Gary Kibel, “companies often comply with the strictest standard that applies to them.” As a result, many companies will likely shift in preparation for the new standards to be set by the CCPA. Even if the CCPA does not directly affect a business come January 2020, it would be wise to prepare. Strict privacy compliance laws could become the new normal if other U.S. states follow in California’s footsteps.
- Notice to consumers: Businesses must gain consent from users at or before the time of data collection.
- Business practices for handling consumer requests: Businesses must offer a means for users to access, request, or delete their personal data.
- Verification of requests: Businesses must be able to verify user requests.
- Special rules regarding minors: There are separate specific requirements for minors under 13 years old, and minors aged 13-16 years.
- Non-discrimination: Businesses cannot discriminate against consumers based on if said consumers exercised their data protection rights. However, businesses may offer different services that pertain to the consumer instead. This also requires calculating the value of consumer data.
Additionally, public hearings regarding the CCPA will be held throughout California in early December. Read more here.
CCPA Compliance Failure
Companies affected by the CCPA must comply, or they will face some serious consequences.
The most obvious one is monetary fines, which can add up very quickly under CCPA. For example, organizations may be fined up to $7500 for each intentional violation and up to $2500 for each unintentional violation. Imagine if a business were to make even just 400 unintentional violations – that would potentially be a million-dollar fine.
But it’s not just fines, there’s a reputational risk that comes with compliance failure as well. Consumers and the general public can easily lose trust in the company that gains a bad reputation for handling private information.
And finally, there is the risk of consumer claims. Consumers have the right to sue over a data breach (if the company cannot solve the issue within 30 days). This could create more monetary losses.
CCPA vs GDPR, So Far…
Now that the CCPA is officially in effect, how has it compared to Europe’s GDPR? So far, it seems as though the CCPA has offered a greater compliance hurdle than the GDPR.
Due to the complexity of the act, companies still have a lot of questions in understanding exactly how they should comply. For example, what technically constitutes “selling” data. And it’s more than just adding an “opt-out” option on a website. Companies are additionally struggling with how to process data when consumers ask it to be deleted, or for more information about said personal data. See the following CCPA Compliance Checklist for more information on how to meet compliance regulations.
California Privacy Rights and Enforcement Act (the CPRA)
“On November 3, California citizens approved the California Privacy Rights and Enforcement Act (the CPRA), a comprehensive privacy law that amends another privacy law that went into effect in the state on January 1, the California Consumer Privacy Act (CCPA). The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.”
More information can be found here.
How Can I Prepare for the CCPA?
CCPA Compliance Checklist for Preparation Infographic
So, what can you do in the meantime?
While it’s always in good practice to have your content and data organized, knowing exactly where your company stores its consumer’s personal information would be good to prepare for the CCPA. Organizations have 45 days to validate a consumer’s identity and give them the requested information, or face consequences. The sooner that information is at your fingertips, the better in compliance you are.
Here are some other tips to make your company’s transition in this CCPA Compliance Preparation Checklist: