What is the California Consumer Privacy Act of 2020?
The California Consumer Privacy Act or CCPA or AB 375 is a data privacy act passed by the California State Legislature and came into effect on January 1, 2020. The law’s primary objective is to provide enhanced consumer privacy and protection to California residents by imposing laws that guide businesses that use customers’ sensitive personal information.
With the enforcement of CCPA, businesses collecting, sharing, and selling consumers’ personal information will now have to follow stringent rules and regulations.
According to CCPA legislation, companies now have to provide more information to consumers on what companies do with their data. The law controls what personal information is being collected, why the business is collecting the information, and whether the company will share this information with other businesses.
What is Personal Information Under the CCPA?
While CCPA has become a headache for many businesses, it’s has come as a blessing in disguise for consumers who value their data privacy. Caring about consumer’s data is the main purpose of this California law.
With technology penetrating every sector, consumers leave behind more data than they can imagine. With 64.2 ZettaByte (ZB) of data created or replicated in 2020 alone, it has become more important than ever for consumers to keep track of their sensitive data, which companies store and share.
That’s precisely what CCPA tries to accomplish. According to this law, customer data is not just name and address; it includes the following categories of personal information:
- Credit card information
- Health insurance information
- Unique personal identifier
- Demographics
- Electronic network activity information
- Internet browsing history
- Postal address
- Driver’s license number
- Biometric information
- Geolocation data
- Age
- Commercial information
- Income
- Education information
- IP address
- Local government records
- Other personally identifiable information
This is particular consumer information that most people don’t realize companies collect, share and sell them. While this data works as a gold mine for marketers, but in the wrong hands, it could result in data breaches that put your business and the privacy of a California resident at risk.
Pro-tip: Note that this is a non-exhaustive list, meaning that there are other pieces of information that the federal government may deem as personal information when consumers sue businesses for non-compliance.
What are the Rights of California Consumers?
CCPA offers specific rights to consumers regarding data privacy and personal information. CCPA establishes the following rights for California residents:
1. Right to opt-out
Consumers have the right to submit opt-out requests at any time and direct businesses that share and sell consumer data to stop this sale. Businesses have to wait for 12 months to ask consumers to provide opt-in consent again.
2. Right to request deletion
With this right, California residents can submit a deletion request of personal information collected from consumers.
3. Right to notice
One of the most fundamental rights under CCPA is the right to written notice. Businesses must inform consumers before collecting their sensitive personal information. As a business, you have to clearly explain the categories under which you collect customers’ personal information. Interestingly, if you collect a California resident’s personal information for a new purpose, you must send a notification again.
4. Right to access
Under this right, all California residents can request a business to disclose categories in which they collected personal data, the source of such data collection, the commercial purpose of collecting data, and categories of third parties with which you will share consumer data.
5. Right to equal service and prices
According to California Attorney General, CCPA prevents businesses from any discrimination. Businesses falling under CCPA cannot refuse goods or services, provide a different level of quality of goods or services purchased, or charge a higher or lower price based upon consumers’ access to their rights.
Who is Subject to the California Consumer Privacy Act?
To prevent a business’s failure and ensure a business values its consumer’s data privacy, California’s Attorney General included rules that include and exempt many companies from complying with CCPA. Your business is liable to a customer in case of a data breach if it fulfills one or more of the following statements:
- A business has a gross annual revenue of $25 million or more.
- A business derives more than half of its revenue from selling consumers’ personal information.
- A business buys, receives, and sells consumer data from 50,000 or more consumers, devices or households.
- Businesses that handle the personal information of more than 4 million consumers will have to face additional obligations.
CCPA generally applies to for-profit businesses. However, CCPA applies to non-profit organizations only when:
- A business makes $20 million every year, but more than 80% of revenue comes from selling consumer data to third parties.
- A business that receives more than 51,000 website visitors and the business doesn’t sell any personal data.
As the CCPA verbiage may be challenging to comprehend for people with a non-legal background, we’ve listed the key aspects of this data privacy law in the section below.
Let’s explore what this law does!
What Does the California Consumer Privacy Act Do?
For a business that comes under the jurisdiction of CCPA, the law has various obligations for a business. According to the California Attorney General’s office, businesses that want to remain compliant with the law must:
- Notify customers in advance about the personal data collected
- Verify the identity of all consumers making an opt-out request or any other request under the act
- Respond to consumers requests within a definitive and specified time-period
- Make it easy and straightforward for consumers to exercise their rights
- Allow consumers to opt-out and delete personal information from the company’s database
- Disclose financial incentives received for data sharing and selling to third parties
- Maintain records of all submitted requests for 24 months and how businesses responded to those requests
How To Maintain Reasonable Security Procedures and Comply with CCPA:
To implement reasonable security procedures and comply with this California law, you must focus on the following steps:
1. Update your website
First thing first, update the privacy policy by outlining what personal data your business collects and why you’re going to collect it and how you will process it. Ensure your website details how customers can submit requests and how you handle the consumer requests. At the bare minimum, provide a toll-free number for users to get in touch with you.
2. Create a homepage privacy link
Also, to ensure complete compliance and don’t forget to display the ‘Do not sell my personal information’ link somewhere on your website, where it’s visible. Link this page to an online form using which consumers can opt-out of having your personal information sold to data brokers and third parties.
3. Store records of consent
Ensure to maintain and record the consent of every California resident who has given your business permission to sell or use their personal information. It’s always a good idea to maintain and store records of the opt-out request made by customers.
This step not only ensures that you can identify California residents’ personal information you can sell and the ones you cannot sell or reuse. By storing records of consent, you demonstrate to the Attorney General that your business follows CCPA compliance.
4. Focus on the security of personal information
As the privacy laws focus on the security of consumer’s personal information, it provides California’s Attorney General with the right to impose fines whenever a data breach occurs. From ensuring data encryption to identifying sensitive data, focusing on security could be a game-changer for your business and ensure you remain compliant with the law.
5. Train employees
Until you train employees on the key aspects of CCPA and what accounts for personal information, fostering a culture of compliance can be challenging. Training is essential for customer-facing roles. It’s important to train your employees to handle and deal with consumer requests regarding their personal information.
What is the New California Data Privacy Law?
California Privacy Rights Act or CPRA is the latest addition to the family of data privacy laws. Unlike CCPA, CPRA aligns closely with the GDPR. CPRA expands CCPA in many ways, including:
- Doubles the CCPA threshold number of consumers from 50,000 to 100,000, thereby reducing the law’s applicability only to small and midsized businesses.
- Expands the applicability to businesses that generate most of their annual revenue from sharing personal information of customers.
- Imposes different requirements and restrictions on aggregate consumer information:
- Opt-out requirements for disclosure and use
- Opt-in consent standard for disclosure and use
- Disclosure requirement
Wrapping Up
With governments giving due importance to data privacy laws, both CCPA and CPRA will have far-reaching consequences and impacts on businesses that fail to comply.
Today with a data theft occurring every 39 seconds, it’s probably the right time for businesses to embrace CCPA and CPRA before hackers gain unauthorized access to customer’s information and put your business at the risk of closing.
The need of the hour of businesses is ensuring compliance with data laws. In the coming years, more and more states are likely to pass their own set of rules and regulations to put consumers at the front seat of their personal information bandwagon.
How are you ensuring compliance with CCPA? How has it helped your business protect the personal information of customers?