What does CCPA stand for?
The California Consumer Privacy Act (CCPA) is a privacy law, superseding the California Consumer Privacy Act of 2018.
It’s intended to increase the control CA residents have over the collection and processing of their personal information, including details like names, addresses, biometrics, and geolocation data.
Who does the CCPA apply to?
The CCPA applies to any entity that does business in the State of California and meets certain criteria.
“Does business” is a broad definition. It could apply to you if you sell there and:
- Your business has an annual gross revenue of $25 million plus
- You handle information belonging to more than 50,000 customers
- 50% or more of your revenue is derived from selling personal information
The CCPA is enforced by the California Attorney General’s office.
What are the CCPA requirements to consider?
These are additional responsibilities, and you still have to comply with general data protection regulations:
- You must notify users of data collection and allow them to opt-out.
- You must have defined procedures for opt-out requests and the deletion of personal information.
- You must respond to said requests in a reasonable timeframe.
- You must verify the identity of the customers making the requests.
- You must maintain records of consumer requests and responses.
- You must include a “Do not sell my personal information” link on your website or app.
- You need to disclose any for-profit use of the retention or sale of personal information, including how the value of the information was calculated.
These requirements relate to four consumer rights granted to California residents under the CCPA:
The right to deletion
A customer has the right to request that you delete any of their consumer data.
Your business has to comply with these requests, but there are certain circumstances where the retention of a consumer’s personal information is permitted.
Such as if the data needs to be used to complete a transaction, fix errors, or comply with other legal responsibilities. This applies to debit or credit card data needed for a purchase.
There are other exemptions, like limited internal use or the investigation of malicious activity.
The right to be informed
This right means customers must be informed before data is collected or when it’s collected.
Your business has to tell customers the categories of information being collected and the commercial purposes of collection.
The right to access data
This means a user has the right to access any of the personal data you’ve collected. It also means you have a responsibility to answer requests for data without delay.
The available information must be provided free of charge.
The right to opt-out
This gives users the right to opt-out of the sale of their information to a third party.
Does the CCPA apply to other states?
Yes. If your business collects data from customers in California, the CCPA applies no matter your location.
GDPR vs. CCPA requirements: How are they different?
The General Data Protection Regulations (GDPR) govern the rights of EU citizens regarding their personal data.
There are five key differences between the acts:
GDPR applies to any business that deals with data from a “data subject” in the European Union.
CCPA only applies if you deal with residents of California and operate in California.
2. Data type
GDPR broadly covers all categories of personal information regardless of purpose, even if you’re just collecting data for a petition form.
CCPA makes distinctions on what kind of data is protected and when.
3. Data use
GDPR outlines the difference between collecting, processing, and selling information.
CCPA considers the broader term “processing” to cover any of these actions.
4. Data access
CCPA compliance means sending regular reports when a user’s data is collected or sold within a 12-month period.
GDPR is stricter, with rules on data retention, the right to withdraw, and direct notification of data collection on an opt-in basis.
Under the GDPR, penalties can be imposed for non-compliance. Up to $24 million (or four percent of the offending company’s annual turnover).
The CCPA is retroactive, and penalties only apply if a data breach occurs. They range from $2,500 to $7,500 for intentional violations.
What must organizations do to comply with the CCPA?
Assess data security practices
It’s outlined in the CCPA that a business has to “implement and maintain reasonable security procedures.”
There’s no further clarification on what that means. Instead, a business has to rely on data security best practices.
Train employees on information handling
Under the CCPA, your business is responsible for your employee’s handling of personal data.
That means adequate training on the handling and disclosure of personal data is essential for all staff.
Help customers exercise their rights
Having clearly defined processes for how to handle requests under the CCPA will help both your business and customers.
Take steps to inform your customers upfront about their rights.
Be prepared for the “look back” requirement
The look-back requirement refers to your business’s responsibility to provide records covering a 12-month retroactive period.
This requires a way to store, categorize, and access customer data.
Carry out website updates
Keeping your website security regularly updated is also important. This will prevent data breaches ahead of time, as well as help you comply with other data privacy laws and amendments.