In recent years, businesses have become accustomed to the process of adjusting to new privacy laws. After all, it was only last year that the GDPR went into effect and impacted how companies use personal data all over the world. Now, there’s another major regulation set to go into effect in the coming months. At the start of 2020, California will roll out the California Consumer Privacy Act (CCPA) — making it the first state-level privacy law in the United States.
Data-driven companies are preparing for this new regulation, much like they prepared for the GDPR ahead of May of 2018. Naturally, business leaders are asking the question: What does the CCPA mean for my business?
Although we won’t truly understand the impact of the CCPA until after it goes into effect, there are ways for businesses to prepare for the new regulation– and today’s blog post has you covered! Read on as we explain what the CCPA is, how it will impact your business, and any other lingering questions you may have before CCPA goes into effect.
What is the CCPA?
The CCPA was created for the purpose of protecting the privacy and personal data of consumers who live within the state of California. According to the official CCPA website, the act provides California residents with the following:
1. Ownership of personal information.
The CCPA grants consumers the right to know what information businesses are collecting about them. The act also gives consumers the right to tell businesses they cannot use their personal information.
Consumers may request that a business discloses the types of personal information it collects, the purpose of collecting that information, and who the information is being sold to. They may exercise these requests twice per year, free of charge.
2. Protection for those who do not provide businesses with access to their personal information.
The CCPA prevents discrimination against residents who don’t allow a business to sell their personal data. In other words, if a consumer tells a business not to share their data, that business cannot charge the consumer more for services, deny them services, or offer them services of lesser quality.
3. More security and protection against data breaches.
The CCPA requires businesses to implement “reasonable security measures” to protect California residents’ personal information from potential data breaches. Businesses are subject to increased fines and penalties if they do not take adequate measures to safeguard the personal information they have collected from sales prospects and customers.
When does the CCPA go into effect?
The CCPA goes into effect on January 1, 2020.
How does the CCPA define “personal information”?
The CCPA defines “personal information” as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
CCPA documentation goes on to provide specific examples of personal data. The list includes, but is not limited to, the following identifiers:
- Identifiers such as a real name, alias, address, email address, social security number, license number, passport number, or similar identifiers.
- Commercial information including property records, product purchases, and other consumer histories and tendencies.
- Biometric data such as fingerprints and facial recognition data.
- Internet or network activity data, such as IP addresses, browsing history, search history, and interactions with online sites or advertisements.
“Personal information” does not include publicly available information. As it pertains to CCPA, publicly available information refers to data that is lawfully made available by federal, state, or local government records.
How do I know if my business is impacted by the CCPA??
The CCPA applies to any for-profit organization that collects, shares, or sells California residents’ personal data and meets any of the following three criteria:
- Has an annual gross revenue of $25 million or more.
- Possesses the personal information of 50,000 or more consumers, households, or devices.
- Earns more than half of its annual revenue by selling personal information.
If my business is GDPR compliant, does that mean it is also CCPA compliant?
The CCPA and GDPR have many similarities in terms of how they protect personal data. But, there are several key differences between the two regulations. For one, the GDPR applies to data controllers and data processors. The CCPA only applies to for-profit businesses that meet one of the aforementioned requirements.
The GDPR also provides consumers the right to correct inaccurate personal data and restrict or object to data processing. The CCPA does not specifically include these rights. But, the CCPA does include additional requirements that the GDPR does not. These requirements include adding a “Do Not Sell My Personal Information” option on business websites, disclosing personal information sale or collection to the consumer, and nondiscriminatory treatment of consumers who exercise their CCPA rights.
In short, you should not assume that your GDPR-compliant business is also CCPA compliant.
What are the penalties for violating the CCPA?
The maximum penalty for violating CCPA laws is $2,500 per violation, or $7,500 for each “intentional violation” (source).
If a company suffers a data security breach that results in the theft of personal data, they may be ordered to pay damages to the impacted California residents. The court will consider several factors when determining the amount of damages. These include the seriousness of the misconduct, past violations, the persistence of misconduct, the company’s net worth, and other factors.
How do I make sure my business is CCPA compliant?
There are several steps your business must take to ensure consumers are able to exercise their rights under the CCPA. These are as follows:
- Provide two or more methods for consumers to submit requests about their personal information. At a minimum, these methods must include a toll-free telephone number, and at least one additional method such as a designated email address or online form.
- Establish protocols to respond to consumer requests within 45 days of receiving them.
- Update your privacy policies to include new CCPA privacy rights.
- Analyze your data collection and documentation processes. Ensure that you are able to track how you collect data, how you use it, where it resides, and have a system in place to provide consumers with this information.
- Provide consumers with notice that their personal information is being sold. Implement a process to honor opt-out requests in a timely manner.
- Assess and document your data security practices to ensure your business takes the necessary steps to avoid data theft and any other security breaches.
Make sure your legal team reviews the entire CCPA initiative to identify all steps your business must implement to remain CCPA compliant. We highly recommend that you educate your entire staff on the key requirements of CCPA compliance.
Final Thoughts on the CCPA
Although California is the first state to implement such privacy regulations in the U.S., they certainly will not be the last. More states have begun to draft similar legislature and we’ll likely see many similar regulations pop up in the next several years.
We understand the challenges that come with understanding new data privacy acts, particularly when there are distinct differences between each regulation. But, the GDPR, the CCPA, and any data privacy acts to follow all serve an important purpose. And, that is to give consumers more control over their personal data. As the world of data and business intelligence continues to evolve, these new protection acts are a step in the right direction when it comes to data security and responsibility.
Learn more about the intricacies of business data and privacy regulation by contacting our sales team today. Our B2B contact database and corresponding technologies not only help you reach your next customer faster, but we also help keep your business compliant with regulations like the GDPR and the CCPA.