'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
After the promulgation of the General Data Protection Regulations (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA) was the next data privacy regulation that had a significant impact for organizations all across the world.
The CCPA is a data privacy law that mandates companies to become better custodians of their consumers' personal information and is often seen as the U.S. counterpart of the GDPR. The law came into effect on January 1, 2020 and has been enforced from the 1st of July 2020.
Here is an overview of this critical privacy regulation.
Consumers who are protected and provided rights under the CCPA are the estimated 40 million residents of California. These rights include:
The right to notice requires an organization to provide consumers with notice of the company's practices regarding collecting, using, selling, and sharing personal information at or before the point of collection of their personal information.
Personal information containing minors' personal information cannot be sold by a business unless the minor (age of 13 to 16 years) or the Parent/Guardian (if the minor is aged below 13 years) opt-ins to allow this sale. Businesses can be held liable for the sale of minors' personal information if they either knew or wilfully disregarded the consumer's status as a minor and the minor or Parent/Guardian had not willingly opted in.
The right to access allows consumers to request organizations to disclose the following personal information:
This all needs to be provided within 45 days of the request.
Even when consumers choose to allow a business to collect and sell their personal information, businesses' must sign written contracts with service providers and/or any other entities who process the data on behalf of the company or are sold the business's data for a specific business purpose. Businesses must also transmit consumer’s opt-out requests to their service providers and associated third parties.
The privacy policies of businesses must necessarily specify consumers' erasure rights, collections and sales/disclosure of personal information, opt-in/opt-out rights for data sales, and privacy-based discrimination restrictions, consumer request metrics.
The CCPA strictly requires businesses not to discriminate against their consumers for exercising their rights under the CCPA. Companies are allowed to vary their services or change the price of goods and services if the difference in service or price is reasonably related to the value of the consumers' personal information to the business.
The right to erasure gives consumers the right to request deleting all their data stored by the organization. Organizations are supposed to comply within 45 days and must deliver a report to the consumer confirming the deletion of their information.
Businesses are allowed to offer financial incentives to consumers, including payment as compensation, for the sale/collection of their personal information as long as the consumers at all times are able to revoke this permission and request deletion of all previously collected or sold confidential information.
The right to opt-out mandates businesses to set up a "Do Not Sell My Information" button on the company's website and implement procedures to comply with its corresponding requirements. A business cannot re-ask a consumer for consent if they have chosen to opt-out for a period of 12 months. Consumers also retain the right to opt-out of the sale of their personal information, even after permitting its sale to a business, if a third party that bought the personal information wishes to sell it to another party.
Businesses must provide consumers with a minimum of two designated methods/channels for submission of consumer requests for personal information disclosure, including a toll-free number. Companies that exclusively operate online and have a direct relationship with their consumers may provide only an email.
The CCPA has given an expanded definition for the term 'Personal Information, which protects under the statute. Any information that identifies a particular consumer or household is considered 'Personal Information’.
The only exceptions are publicly available information (made public by federal or state authorities) or de-identified consumer information.
If a for-profit entity that does business in California fulfills any one of the following three conditions, it must abide by the CCPA requirements.
Has $25 million
in gross annual revenue;
Obtains or shares personal information of at
least 50,000 California residents,
households, and/or devices per year;
At least 50% of their annual revenue is
generated from selling California
residents’ personal information.
Businesses on which the CCPA applies also include any entity run or controlled by a business or shares common branding with a business. No distinction has been made between domestic and foreign entities, and a foreign parent company with a controlling interest in a U.S.-based subsidiary would itself also be subject to the CCPA.
There are few industries exempted from CCPA because they are already sufficiently covered under other US federal privacy laws, such as:
Health providers and insurers that are already covered under HIPAA
Financial companies covered by Gramm-Leach-Bliley
Credit reporting agencies under the Fair Credit Reporting Act
The CCPA is based on an opt-out cookie consent regime. Under the CCPA, the following are the requirements for a cookie banner:
Given the rising frequency and severity of privacy scandals and data breaches, CCPA has laid some strict penalties for businesses failing to comply. The penalties are:
Maximum civil penalties of $7,500 for intentional violations of the CCPA brought by the State of California through the Attorney General's Office. Businesses will have only 30 days to cure the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to cure the violation within that time.
Maximum civil penalties of $2,500 for unintentional violations brought by the State of California through the Attorney General's Office. Businesses will have only 30 days to cure the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to cure the violation within that time.
Consumers can file private lawsuits from between $100 to $750 or for actual damages for each incident of breach of their unredacted and unencrypted data stored in a businesses' server. Companies will have only 30 days to cure the violation upon being served a notice by the consumer or will face civil penalties.
The law has come into force from July 1st, 2020, and it is expected that CCPA and other data privacy litigations will only increase in the coming years. The CPRA has already amended the CCPA and increased obligations on businesses and protections to consumers starting from 2023.
The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.Get the Book
“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”
- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc
Given the expanded definition of the term 'personal information and the tight time frame provided to businesses to respond to privacy disclosure, access, and deletion requests along with other requirements, complying with the CCPA can be very labor-intensive and costly.
Securiti's award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence, and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.
Securiti helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data access requests, assessments, consent management, and more.
Nearly 500,00 organizations worldwide have been affected by the CCPA.
According to IAPP research, 95% of businesses are not prepared for the CCPA.
See how easy it is to manage privacy compliance with robotic automation.