Much of our lives are digitized and as we spend more time online, businesses can target buyers based on their consumption habits, location, preferences, and more. Due to a lack of federal legislation, states have taken it upon themselves to protect the consumer, and California is the most recent state to do so, with the California Consumer Privacy Act (CCPA) that comes into effect on January 1, 2020.
Much like Europe’s General Data Protection Regulation (GDPR), the CCPA aims to give consumers more control over how businesses use their data and to ensure that it’s not misused. This overview covers the main questions your business might have about this new legislation.
Who does CCPA apply to?
The CCPA protects consumers but is aimed at any organization that collects consumers’ personal data, does business in California, and meets one of the following thresholds:
- Has annual gross revenues in excess of US$25 million
- Possesses personal information for 50,000 or more consumers, households, or devices
- Earns more than half of its annual revenue from selling consumers’ personal information
What is “personal information” under CCPA?
The CCPA broadly defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Examples include obvious personally identifiable information such as name, phone number, social security number, driver’s license number etc. The CCPA also includes less obvious information, including biometric, geolocation, IP address, or employment data.
What does CCPA mean for consumers?
CCPA legislation is intended to allow California residents more control and visibility over their personal information. The law provides residents with the right to:
- Know when their personal information is being collected: Businesses must notify consumers when their information is being collected (either before or as it happens), as well as what information is being collected, how it is being collected, and how the business intends to use it.
- Know whether personal information is sold or disclosed and to whom: Businesses must identify whether consumer information is being disclosed or sold to other parties, and who those other parties are.
- Refuse the sale of their personal information: Businesses must provide consumers with the ability to easily opt-out of that sale through a “Do Not Sell My Personal Information” link on their website. There must be opt-in options for consumers under 16.
- Obtain access to, and request removal of, personal information: If a consumer specifically requests access to their information or that it be deleted, the business must comply (there are some exceptions to this rule, which are yet to be fully defined).
- Service equality: A business cannot discriminate against a consumer who exercises his/her rights under the CCPA. However, the CCPA allows a business to charge a different price or provide a different level of service to consumers if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
What are the penalties under CCPA for businesses?
The CCPA requires businesses to be transparent in how they handle consumers’ personal information and failure to comply can lead to a fine of:
- Up to $2,500 per violation, or
- $7,500 if the violation was intentional
- Between $150 and $750 per incident to a resident
What can businesses do to prepare for CCPA?
While CCPA might not come into effect until January 2020, now is a good time for organizations to take steps to meet the law’s requirements.
- Create a data inventory: Understand all the ways a business may obtain personal information, the types of information collected and shared, the purposes for which it’s used, the parties with whom it is shared and why, how data is stored, and data disposal practices.
- Update privacy policies: Policies should allow for consumers requesting access to their data, as well as its deletion; there should be inclusions around consent for data sharing, including the ability to opt-out; and there should be opt-in measures for youth under 16.
- Add a “Do Not Sell My Personal Information” link: This website link should be easily accessible and directs users to a web page that allows them to affirmatively opt-out of the sale of their personal information.
- Update service-level agreements with third-party data processors: Make sure that any systems used for data services are equally compliant with CCPA legislation.
To learn more about this impending legislation, here are some additional resources:
- California Consumer Privacy Act of 2018 (IAPP – HTML version)
- The California Consumer Privacy Act: Frequently Asked Questions (Lexology)
- Readiness Roadmap for CCPA (PwC)
- CCPA and GDPR Comparison Chart (Practical Law / Baker Law)
If you’d like to learn how ePACT helps your organization better protect consumer data with these guidelines in mind:
Terms and Conditions
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at any time.