The California Consumer Privacy Act (CCPA) was passed in the State legislature and signed into law by the California Governor on June 28, 2018. Set to take effect January 1, 2020, the US’s first data privacy law can have sweeping consequences for companies to whom it applies. Here’s the good news, there are certain thresholds you must meet in order for the CCPA to apply to your business. Furthermore, many of the processes put in place after GDPR can be used to ensure compliance with CCPA.
Breaking Down The California Consumer Privacy Act
What Does the California Consumer Privacy Act Do?
The CCPA was created with the intention of giving California consumers the right to:
- Know what personal data is being collected about them
- Know whether their personal data is sold or disclosed and to whom it was sold or disclosed
- Say no to the sale of their personal data
- Access their personal data
- Request businesses to delete their personal data
- Not be retaliated or discriminated against for exercising their privacy rights
Californiaprivacy.org explains the CCPA gives consumers:
Consumers have the right to request (once a year, free of charge) that a business disclose the categories of information the business collects on the individual. If the business sells personal data, the consumer has the right to know what categories were collected and sold and to whom they were sold.
- Consumers are allowed to tell businesses to stop selling their personal data (right to opt out).
- Any business selling information must give notice to consumers that their data may be sold and that consumers have the right to opt out.
- Once a consumer is opted out, the business may not sell the consumers data without express authorization from the consumer to resume selling personal data.
- Furthermore, businesses cannot penalize consumers who opt out of allowing the selling of personal data. Meaning businesses cannot charge consumers more, deny consumers access to services, or change the quality of service consumers receive because they opt out.
The CCPA increases penalties and fines for data breaches if businesses fail to implement “reasonable security measures.”
- Consumers damages: minimum of $100, max of $750 per consumer per incident
- Regulator enforcement penalties: minimum of $7,500 per violation
Who Does the CCPA Affect?
As alluded to earlier, the CCPA does not impact every business in the United States. California has laid out certain criteria for entities that will be impacted by this new law.
CCPA applies to for-profit entities doing business in California that:
- Have annual gross revenue in excess of $25,000,0000 (subject to adjustment); or
- Handle data of more than 50,000 people or devices; or
- Have 50% or more of revenue coming from selling personal data.
Note: the CCPA also applies to any businesses that control, are controlled by, or have common branding with an entity that fits the above criteria.
Preparing for the CCPA to take Effect
If your company was impacted by GDPR, you’re already on the path to being CCPA complaint as many of the regulations from GDPR overlap with CCPA. However, there is one big difference—GDPR regulates data that is processed, CCPA regulates all personal data that is collected. Meaning, whether or not you’re using the data, if you collect it you’ll need to comply with the CCPA.
With that, here are some key things you’ll need to do in order to comply with the CCPA.
- Make sure all data you collect is easily exportable in a user-friendly format.
- Ensure you’re maintaining records for 12 months.
- Delineate between any data that is sold and data that is transferred.
- If you sell personal data, add an opt-out button on your website
- If you sell personal data, put your customers on notice that you may sell their data and they have the right to opt-out (make sure you keep a record of this communication and any opt-outs)
- Create a process to allow California consumers to request their data and to request the erasure of their data. Make sure you keep records of all requests.
- Create a process for deleting data as requested.
- Make sure you’ve written down your plan of action, and have proof that you are maintaining and complying with all requirements.
Consumer Privacy is Trending
Consumer privacy is a hot button issue and California is the first state to enact this type of regulation; however, more states will probably follow suit. Whether or not you’re forced to comply with this particular Act, it is probably worth getting your ducks in a row to ensure that if and when legislation in your state passes, you’ll be ready to simply flip a switch and comply.
None of the information in this article should be construed as legal advice. These are simply best practices. To ensure you are complying fully with the California Consumer Privacy Act, you should consult with legal counsel.