On January 1st, 2020 a new privacy law called the California Consumer Privacy Act (CCPA) came into effect, and enforcement is set to officially begin on July 1, 2020.
The CCPA represents the first major personal data privacy act enacted by a US state and marks the beginning of local government legislation regarding data privacy protection. Legal experts expect most US states to follow suit, and the federal government is also likely to eye consumer privacy legislation in the future, just like Europe did in 2018 with the GDPR.
We believe it’s not a matter of “if” but “when” new consumer privacy bills will be introduced in both the US and other countries. As such, many businesses cannot afford to ignore CCPA and must consider their organization’s overall approach to consumer data privacy protections. To avoid penalties in California or any state with future legislation, compliance is essential.
ADK is here to help prepare your organization for a future riddled with a variety of data privacy protection requirements, starting with CCPA. All of this might sound a bit scary, but we've developed a process for helping organizations first determine their obligation, then ensure compliance. Let’s talk about the steps you can take to minimize your business’ risk.
Similar to how Europe's General Data Protection Regulation (GDPR) changed the way businesses handled the personal data of EU citizens, the CCPA is set to do the same for California residents - regardless of whether your business is based in California or elsewhere. While GDPR isn’t as applicable to companies based in the US (and has been somewhat ignored for that very reason), the CCPA is much more likely to impact everyday American organizations with an online presence.
According to the Morgan Lewis law firm, a business is only subject to CCPA if:
In addition, the CCPA only applies to businesses that also meet any of the following criteria:
If your company does not collect information from California residents at all, you do not need to comply with CCPA at this point. There are also certain types of consumer data exempt from CCPA protection. The CCPA comprehensively outlines rules and regulations, as detailed on the official California Consumer Privacy Act website.
If you're unsure whether your business’ compliance is required or not, take this short CCPA Compliance Checker questionnaire to determine your legal obligations. Otherwise, email email@example.com and our team of privacy protection-savvy developers, designers, and strategists will be happy to assist.
If a business’ non-compliance continues after a 30-day notification window, the California Attorney General is likely to open a civil case and levy fines ranging from $2,500 to $7,500 per violation, plus up to $750 per incident in compensation to individuals.
To help you navigate this new Act and avoid any potential fines or penalties, we've put together this helpful CCPA compliance checklist. With it, you can begin to make sense of the CCPA as a whole. But more importantly, you'll see the steps you need to take to ensure your site complies with CCPA and future US data privacy laws.
If your business/website is indeed subject to CCPA requirements, update your online privacy notices immediately.
All businesses subject to CCPA requirements must promptly issue a notice informing their customers of the types of personal information they're collecting, as well as how that info is being used. Under CCPA, you can still collect the following information on your visitors:
On-site notices must explicitly explain to consumers that they have the option to opt out of this data collection at any time and also provide them the ability to do so.
Companies will also need to update their own on-site privacy policies to describe what the new consumer rights afforded by the CCPA are (see below).
Full CCPA compliance requires that all businesses maintain a database that tracks their data collection and processing activities. This database should outline:
The CCPA specifies a list of consumer rights that must be protected and ensured. These rights include:
The CCPA imposes penalties on companies for any security breaches that expose consumer data that they've collected. As such, liability for data breaches for California residents now rests fully with the entity collecting the information, not any third parties such as cloud storage providers.
To help mitigate the risk of penalties, all companies should carefully vet third-party vendors for CCPA compliance prior to signing a contract with them. They must also ensure that CCPA compliance is being met by any vendors they're currently contracting with.
All businesses should understand how their consumer data moves between internal and third-party systems. This will give businesses the ability to better understand the points at which they are personally responsible for data privacy and security breaches.
It's important to note that all regulations set by the CCPA are set at the bare minimum to avoid penalties. The CCPA is merely the beginning of a new era of governmental oversight of personal information, and other states are already in the process of implementing their own CCPA-like regulations.
For smart businesses, the CCPA is an opportunity to establish a compliance culture that can be easily adapted to other state-specific protection laws as they become more prevalent. For example, the CCPA requires that businesses respond to requests to delete personal information within 45 days. To stay ahead of the curb, judicious companies could make it a policy to respond within 30 days, which may give them an advantage if response times are even more stringent for other states in the future.
Finally, the CCPA requires that companies that hold personal data on Californians train their employees on proper data-handling practices. The International Association of Privacy Professionals already offers comprehensive CCPA training courses, as do several other similar organizations. These online courses help employees navigate this new regulatory landscape to reduce the risk of fines and other enforcement actions.
To help you navigate the complexities of the CCPA and ensure your company remains in compliance with the Act's many regulations, exceptions, and other nuances, email us at firstname.lastname@example.org. Our experienced team can help you develop proper policies and procedures, perform internal audits of your site, and do whatever else it takes to ensure your company's consumer protection processes are in accordance with the California Consumer Privacy Act.