What is California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a data privacy law that mandates companies to become better custodians of their consumers’ personal information.
- The CCPA has garnered a lot of attention due to the historical influence California has had in prompting other states to adopt new and progressive legislation.
- It is expected that many states will adopt CCPA-like legislation in face of the global debate relating to data privacy regulation and protection.
- Several drafts being considered by Congress for a Federal data privacy law are reportedly very similar to the CCPA.
Here is an overview of this important new privacy regulation.
Rights under the CCPA
Consumers who are protected and provided rights under the CCPA are the estimated 40 million residents of California. These rights include:
Right to Notice
The right to notice requires an organization to provide consumers with notice of the company's practices regarding the collection, use, sale, and sharing of personal information.
Right to Opt-in for Minors
Data containing personal information of minors cannot be sold by a business unless the minor (if aged between 13 to 16 years of age) or the Parent/Guardian (if the minor is aged below 13 years) opt in to allow this sale. Businesses can be held liable for the sale of minors’ personal information if they either knew or wilfully disregarded the status of the consumer as a minor and the minor or Parent/Guardian had not willingly opted in.
Right to Access
The right to access allows consumers to request organizations to disclose personal information collected within the last 12 months, sources from where the information was collected, business or commercial use of information, categories of third parties with which the information is shared, categories of personal information that was sold or disclosed by the company, etc. all within a 45 day period.
Right to Continued Protection
Even when consumers choose to allow a business to collect and sell their personal information, businesses’ must sign written contracts with service providers and/or any other entities who process the data on behalf of the business or are sold the data by the business for a specific business purpose.
Right to Awareness
The privacy policies of businesses must necessarily specify consumers’ erasure rights, collections and sales/disclosure of personal information, opt in/opt out rights for data sales and restrictions on privacy based discrimination.
Right to No Discrimination
The CCPA strictly requires businesses not to discriminate against their consumers for exercising their rights under the CCPA. Businesses are allowed to vary their services or change the price of goods and services, if the difference in service or price is reasonably related to the value of the consumers’ personal information to the business.
Right to Erasure
The right to erasure gives consumers the right to request deletion of all their data stored by the organization. Not only are organizations supposed to comply within 45 days but are also required to deliver a report on the deleted information to the consumer.
Right to Sell
Businesses are allowed to offer financial incentives to consumers, including payment as compensation, for the sale/collection of their personal information they should at all times be able to revoke this permission and request deletion of all previously collected or sold personal information though.
Right to Opt-out
The right to opt out mandates businesses to set up a “Do Not Sell My Information” button on the company’s website and implement procedures to comply with its corresponding requirements. Consumers retain the right to opt out of the sale of their personal information again, even after giving permission for its sale to a business, if a third party which bought the personal information wishes to sell it to another party.
Right to Multiple Request Mechanisms
Businesses must provide consumers the minimum of two designated methods/channels for submission of requests for disclosure of personal information including a toll free number. Businesses that exclusively operate online and have a direct relationship with their consumers may provide an email.
Definition of Personal Information
The CCPA has given an expanded definition for the term ‘Personal Information’ which is provided protections under the statute. Any information that identifies a particular consumer or household is considered ‘Personal Information’.
This includes a huge variety of data such as:
Identifiers
(Real names, alias, residential address, IP, email address, account name, social security number, driver’s license number, passport number etc.);
Professional or employment-related information
Information about employees from personal information, job title, contracts (if any), benefits and any professional related data
Commercial information
(Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies etc.);
Education information
Information that is presented by the person that can not be found publicly. This does not apply to publicly accessible educational information on the individual.
Biometric information
Biometrics is the technical term for body measurements and calculations. It refers to the metrics related to human characteristics in order to verify identity or gain access.
Inferences drawn from any of the information mentioned above to create a profile about a consumer
Reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Internet or other electronic network activity information
(Browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement etc.);
Other information
This includes geolocation, audio, electronic, visual, thermal, olfactory, or similar information that may be in the possession of the organization.
The only exceptions are publicly available information (made public by federal or state authorities) or consumer information that is deidentified.
Who needs to comply?
If a for-profit entity which does business in California fulfills any one of the following three conditions, they are required to abide by the CCPA regulations.
Has $25 million
in gross annual revenue;
Obtains or shares personal information of at
least 50,000 California residents,
households, and/or devices per year;
At least 50% of their annual revenue is
generated from selling California
residents’ personal information.
Businesses on which the CCPA applies also include any entity run or controlled by a business or which shares common branding with a business. No distinction has been made between domestic and foreign entities as well as a foreign parent company, with a controlling interest in an U.S-based subsidiary would itself also be subject to the CCPA.
There are few industries exempted from CCPA, that are already sufficiently covered under other privacy laws, such as:
Health providers and insurers that are already covered under HIPAA
Financial companies covered by Gramm-Leach-Bliley
Credit reporting agencies under the Fair Credit Reporting Act
Compliance risks under the CCPA
Given the rising frequency and severity of data breaches, CCPA has laid some strict penalties for businesses failing to comply. The penalties are:
Maximum civil penalties of $7,500 for intentional violations brought by the State of California through the Office of the Attorney General. Businesses will have only a 30 day time period to cure the violation upon being informed of the violation or will face financial penalties.
Maximum civil penalties of $2,500 for unintentional violations brought by the State of California through the Office of the Attorney General. Businesses will have only a 30 day time period to cure the violation upon being informed of the violation or will face financial penalties.
Consumers can file private lawsuits from between $100 to $750 or for actual damages for each incident of breach of their unredacted and unencrypted data stored in a businesses’ server. Businesses will have only a 30 day time period to cure the violation upon being served a notice by the consumer or will face civil penalties.
The law has come into force from July 1st 2020 and it is expected that CCPA and other data privacy litigations will only increase in the coming years.
To learn more about CCPA as well as other global privacy regulations,
and what to do in order to comply, sign up to get a free copy of the PrivacyOps book
Automating Compliance
Given the expanded definition of the term ‘personal information’ and the tight time frame provided to businesses to respond to privacy disclosure, access and deletion requests along with other requirements, complying with the CCPA can be very labor intensive and costly.
SECURITI.ai’s award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.
SECURITI.ai helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data subject requests, assessments, consent management and more.
Key facts
1
The CCPA stands for California Consumer Privacy Act
2
Nearly 500,000 organizations worldwide have been affected by the CCPA
3
According to an IAPP research, 95% of businesses are not prepared for the CCPA
4
The CCPA fines are a maximum of $7,500 per violation with no upper cap
5
CCPA exempts organization complying with the following:
- HIPAA
- Gramm-Leach-Bliley
- Fair Credit Reporting Act
6
SECURITI.ai uses award winning automation, machine learning and AI to help reduce cost, liabilities and human effort while helping your business comply effortlessly.
