On January 1st, 2020 a new privacy law called the California Consumer Privacy Act (CCPA) came into effect, and enforcement is set to officially begin on July 1, 2020.
The CCPA represents the first major personal data privacy act enacted by a US state and marks the beginning of local government legislation regarding data privacy protection. Legal experts expect most US states to follow suit, and the federal government is also likely to eye consumer privacy legislation in the future, just like Europe did in 2018 with the GDPR.
We believe it’s not a matter of “if” but “when” new consumer privacy bills will be introduced in both the US and other countries. As such, many businesses cannot afford to ignore CCPA and must consider their organization’s overall approach to consumer data privacy protections. To avoid penalties in California or any state with future legislation, compliance is essential.
ADK is here to help prepare your organization for a future riddled with a variety of data privacy protection requirements, starting with CCPA. All of this might sound a bit scary, but we’ve developed a process for helping organizations first determine their obligation, then ensure compliance. Let’s talk about the steps you can take to minimize your business’ risk.
What is CCPA?
Similar to how Europe’s General Data Protection Regulation (GDPR) changed the way businesses handled the personal data of EU citizens, the CCPA is set to do the same for California residents – regardless of whether your business is based in California or elsewhere. While GDPR isn’t as applicable to companies based in the US (and has been somewhat ignored for that very reason), the CCPA is much more likely to impact everyday American organizations with an online presence.
Who Needs to Comply with CCPA?
According to the Morgan Lewis law firm, a business is only subject to CCPA if:
- That business is for profit, and
- Does business in California, and
- Collects Californian consumers’ personal information, or determines the purposes and means of processing consumers’ personal information.
In addition, the CCPA only applies to businesses that also meet any of the following criteria:
- Has an annual gross revenue of $25 million or more,
- Acquires in any manner, shares, or sells the personal information of 50,000 or more California consumers, households, or devices per year.
- Derives more than 50% of annual revenue from selling personal information.
If your company does not collect information from California residents at all, you do not need to comply with CCPA at this point. There are also certain types of consumer data exempt from CCPA protection. The CCPA comprehensively outlines rules and regulations, as detailed on the official California Consumer Privacy Act website.
If you’re unsure whether your business’ compliance is required or not, take this short CCPA Compliance Checker questionnaire to determine your legal obligations. Otherwise, email firstname.lastname@example.org and our team of privacy protection-savvy developers, designers, and strategists will be happy to assist.
What are the Penalties?
If a business’ non-compliance continues after a 30-day notification window, the California Attorney General is likely to open a civil case and levy fines ranging from $2,500 to $7,500 per violation, plus up to $750 per incident in compensation to individuals.
To help you navigate this new Act and avoid any potential fines or penalties, we’ve put together this helpful CCPA compliance checklist. With it, you can begin to make sense of the CCPA as a whole. But more importantly, you’ll see the steps you need to take to ensure your site complies with CCPA and future US data privacy laws.
Update Your On-site Privacy Notices
If your business/website is indeed subject to CCPA requirements, update your online privacy notices immediately.
All businesses subject to CCPA requirements must promptly issue a notice informing their customers of the types of personal information they’re collecting, as well as how that info is being used. Under CCPA, you can still collect the following information on your visitors:
- Visitor’s IP addresses
- Web Browser information
- Date of the visit
- Time spent on each page, and so on.
On-site notices must explicitly explain to consumers that they have the option to opt out of this data collection at any time and also provide them the ability to do so.
Companies will also need to update their own on-site privacy policies to describe what the new consumer rights afforded by the CCPA are (see below).
Start Maintaining a Data Inventory if You’re Not Already
Full CCPA compliance requires that all businesses maintain a database that tracks their data collection and processing activities. This database should outline:
- Whether or not the consumer data is sold,
- Which categories of personal information (if any) are transferred to third parties,
- What personal information is covered by HIPAA, the Fair Credit Reporting Act, or any other law that would exempt the data from CCPA requirements, and
- Information on data that was collected 12+ months prior to the CCPA’s enactment on January 1st, as this data could be exempt.
Ensure Your Consumers’ Rights Are Protected
The CCPA specifies a list of consumer rights that must be protected and ensured. These rights include:
- The right to notice: As previously mentioned, all businesses must notify their customers about the categories of information they’re collecting and the purposes behind this data collection.
- The right to opt out: All businesses must allow customers the option opt out of the sale of their personal data. Businesses must make this process as easy as possible by including a clear “Do Not Sell My Personal Information” link on their site (preferably the homepage) which takes visitors to an intuitive request form.
- The right to request: All individuals have the right to request that a business disclose and deliver the personal information that is obtained about them.
- The right to know: If a business is collecting personal information from visitors, then all individuals have the right to request that the business discloses the specific categories of information being collected, as well as the various sources it was collected from.
- The right to delete: At any time, an individual has the right to request deletion of their collected personal information. Once the business verifies the individual’s identity, they must promptly delete all information related to them.
- The right to equal service and price: Businesses are not allowed to deny goods and services to certain individuals, nor are they allowed to impose penalties against individuals who choose to exercise their privacy rights.
Make Security Updates to Accommodate New Data Privacy Laws
The CCPA imposes penalties on companies for any security breaches that expose consumer data that they’ve collected. As such, liability for data breaches for California residents now rests fully with the entity collecting the information, not any third parties such as cloud storage providers.
To help mitigate the risk of penalties, all companies should carefully vet third-party vendors for CCPA compliance prior to signing a contract with them. They must also ensure that CCPA compliance is being met by any vendors they’re currently contracting with.
All businesses should understand how their consumer data moves between internal and third-party systems. This will give businesses the ability to better understand the points at which they are personally responsible for data privacy and security breaches.
Go Beyond the Minimum Requirements Set by CCPA
It’s important to note that all regulations set by the CCPA are set at the bare minimum to avoid penalties. The CCPA is merely the beginning of a new era of governmental oversight of personal information, and other states are already in the process of implementing their own CCPA-like regulations.
For smart businesses, the CCPA is an opportunity to establish a compliance culture that can be easily adapted to other state-specific protection laws as they become more prevalent. For example, the CCPA requires that businesses respond to requests to delete personal information within 45 days. To stay ahead of the curb, judicious companies could make it a policy to respond within 30 days, which may give them an advantage if response times are even more stringent for other states in the future.
Train Your Staff on Essential CCPA Compliance Protocols
Finally, the CCPA requires that companies that hold personal data on Californians train their employees on proper data-handling practices. The International Association of Privacy Professionals already offers comprehensive CCPA training courses, as do several other similar organizations. These online courses help employees navigate this new regulatory landscape to reduce the risk of fines and other enforcement actions.
Want Help Ensuring Your CCPA Compliance? We’re Here to Help.
To help you navigate the complexities of the CCPA and ensure your company remains in compliance with the Act’s many regulations, exceptions, and other nuances, email us at email@example.com. Our experienced team can help you develop proper policies and procedures, perform internal audits of your site, and do whatever else it takes to ensure your company’s consumer protection processes are in accordance with the California Consumer Privacy Act.