The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.
The effective date of the CCPA is January 1, 2020. It is the first law of its kind in the United States.
Who does CCPA Apply to?
CCPA applies to any for-profit businesses in the world that sells the personal information of more than 50,000 California residents annually, or have an annual gross revenue exceeding $25 million, or derives more than 50 percent of its annual revenue from selling the personal information of California residents.
Sale of PI is defined in the CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
If a company shares common branding (i.e. shared name, service mark or trademark) with another business that is liable under the CCPA, the company will be subject to CCPA compliance too.
What does CCPA mean for businesses?
To comply with the CCPA, businesses must provide its users with the collected data once requested and must immediately disclose the following:
- All the sources from where the consumers’ data is being collected.
- The intent or purpose of collecting or selling the information.
- Information about the third parties with whom the consumer data is being shared.
Businesses conforming to California privacy law 2020 must also do the following:
- Notify the users before-hand of any personal data to be collected before doing so.
- Provide users with more than two ways to opt-out of any data collection program they might be in and prohibit any selling of their data. This could be done by providing an opt-out link on their website accompanied by a telephone number at the very least.
- Provide the same level of features as to someone who exercised the California consumer law.
- Maintain a record of similar user requests made and their response.
- Verify the user’s identity requesting for changes under the act to find out the authenticity of the request.
- Respond to the user’s request and provide the requested data within 45 days of receiving the request.
- Disclosing own data privacy policies and practices to its users.
What are the CCPA fines and penalties for non-compliance?
Failure to comply with the CCPA can result in fines for businesses of $7,500 per violation and $750 per affected user in civil damages for businesses.
The power to enforce the CCPA lies with the office of the Attorney General of California
What does GDPR compliance look like?
For companies which do collect and sell personal information, preparing for CCPA compliance includes:
- Updating privacy notices and policies. The CCPA requires consumer explicit notification of the company’s intent to collect and sell information “at or before the point of collection.” This notice must include what information is collected and why.
- Updating data inventory with new classifications. Data stored on the backend must include records of the information’s sale, transferal to third parties, time of collection and sale, plus indication if the information is covered by HIPAA or another data privacy law.
- Creating procedures to comply with California consumer rights. Companies need a way for consumers to request access to, deletion of, or opt out of the sale of their personal information.
- Reviewing site and business security. The CCPA requires “reasonable” personal data protection. For SMBs, a managed service provider may lighten this burden.
- Training staff. Train staff on what CCPA is, what its compliance requirements are, how to handle the new procedures, and how to handle potential incidents.