The California Consumer Privacy Act, or CCPA, is a regulation that will go into effect on January 1, 2020. The regulation is established by the state of California and addresses data protection and provides California consumers with control over their personal information. Similar to the UK’s GDPR regulations, CCPA was created to enhance privacy rights and consumer protection.
The Control CCPA Gives to Consumers
CCPA states that consumers residing in California have the right to protect their personal information at any time, and also to request more information at any time on how their information is being collected.
- Consumers in California have the right to understand exactly what’s happening with their personal information. Specifically, a California consumer can request the following information at any time and law requires companies to provide the information quickly and in a portable format:
- Which categories of personal information were collected, shared or sold
- Categories of sources from which this personal information was collected, who it was shared with and who it was sold to.
- The specific personal information that has been collected about a California consumer
- Why the personal information was collected
- Consumers in California have the right to request that a company delete personal information collected about them at any time.
- Consumers in California have the right to direct a company to not sell their personal information to third parties. “Sell” in this regard doesn’t just include a monetary exchange, it also includes any sort of in-kind partnership or trade.
“Personal information” as defined by CCPA includes:
- Personal identifiers such as real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers
- Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Internet and other electronic network activity information, including, but not limited to, browsing history, search history and information regarding a California resident’s interaction with a website, application or advertisement.
- Geolocation data
- Biometric information
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment related information
- Education information
An important caveat to note about CCPA: It’s definition of a California resident is quite broad. In fact, it includes every individual who is in the state other than for a temporary or transitory purpose. It also includes every individual who is “domiciled” in the state who is outside of the state for a temporary or transitory purpose. Essentially, it covers Californians who are traveling in other states.
Who CCPA Applies To
The California Consumer Privacy Act protects any California resident. CCPA regulations apply to for-profit businesses that collect personal information about California consumers if the California business:
- Has annual gross revenues over $25 million
- Annually buys, receives, sells or shares personal information of over 50,000 California consumers, households or devices
- Derives at least 50 percent of annual revenue from selling California consumers’ personal information. That personal information includes data on consumers, employees, business contacts and business agents.
CCPA does not apply to government entities or non-profits.
According to CCPA, companies that experience data breaches of consumer data will be held more accountable than they previously have been. Additionally, CCPA gives the California Attorney General the right to impose fines of up to $2,500 for each violation of the bill, and up to $7,500 for each intentional violation of privacy. Individuals also have the right to sue brands for up to $750 per privacy violation.
What You Need to Do to Become CCPA Compliant
First and foremost, talk with your attorney. Rely on a licensed professional to understand the ins and outs of your specific business to determine what changes, if any, need to be made to your processes to become or remain CCPA complaint.
However, as consumer and marketing regulations continue to be developed and evolve, it’s important that businesses work to establish processes around data collection and consumer data requests. At the very least, work with your attorney and internal administrative team to:
Establish a Process Around Consumer Data Requests
Even if your organization doesn’t fall within the CCPA guidelines listed above, it’s not outside of the realm of possibility that other states will be looking to create similar guidelines for data protection. In fact, Washington State, New Jersey and Massachusetts are all considering similar state privacy laws. And, even if they don’t, having a process to facilitate consumer data request speaks to a level of trust that consumers can have in interacting with your organization.
Work with your attorney and internal team to create a process to quickly and effectively respond to consumer requests to access and delete their personal information and opt out from having it sold.
Revise Privacy Policies on Your Website
CCPA requires organizations who apply to CCPA regulations to provide a clearly visible link on the homepage of their website to make it easy for consumers to opt out of selling their data to third parties.
It’s also advised that organizations update their privacy policies on their websites to explicitly detail how data is collected, why the data is collected and if and how it’s shared.
Establish Governance
If there is no one within your organization who has the particular skillset to manage the ever-evolving regulation landscape, consider finding a partner or internal hire who will ensure compliance is monitored and enforced. This individual should review all data sources and make amendments to contracts as needed.
Review your Vendor Contracts
Work with your vendors and third-party partners to understand exactly how and where they process and store data. Even if they are a third party solution, your organization could still be held liable if that vendor processes your consumers’ data outside of compliance.
We Are Here to Help
If you need any adjustments made to your website or online processes, we’re here to help. Contact us today to discuss any changes that your team or your legal team has noted should be made. Or, if you need help understanding how your data collection works on your site today, we’re happy to answer any and all questions.