What is CCPA?
The California Consumer Privacy Act (CCPA) is the first-of-its-kind data privacy law regulating how businesses collect, use, and share the personal information of the residents of California. CCPA applies to ‘for-profit’ businesses worldwide that cater to California residents. It gives Californians the right to decide how their personal information is used and shared. It also makes it easier for them to take action against companies if their privacy is violated (even without a data breach).
Consumer Privacy Rights Act (CPRA) is coming into effect from January 1, 2023. It is an amended and extended version of CCPA and is often referred to as CCPA 2.0.
How does CCPA protect the buyers?
CCPA was introduced to protect the residents from the unwanted and uninformed sale/disclosure of their personal information to third parties.
As per CCPA, personal information includes any piece of information that can be linked to a specific consumer or a specific household in a way that can describe their preferences. Some obvious ones are name, address, email address, social security number, and geographical location. Other information includes records of previous purchases, browsing history, IP address, account names, employment data, educational data, sexual preferences, religious or political orientation, and biometric data such as fingerprints.
Here are some of the rights that the CCPA provides to the buyers:
- Right to know – It states that the consumers must be informed about the information that is collected about them and how it is used.
- Right to delete – If a consumer wishes, they can get the information deleted (with some exceptions)
- Right to opt-out – Consumers can opt-out of the sale of their personal information to third parties
- Right to non-discrimination – It states that businesses cannot discriminate against you if you exercise the right to delete and/or right to opt out. They have to provide you with the same services that they do to people who do not mind getting their data collected and shared by third parties. That’s why this clause is often called the ‘right to equal services’.
Who needs to comply with CCPA?
CCPA is mandatory for ‘for-profit’ businesses that cater to California residents irrespective of their geographical locations. Even if you don’t have a physical presence in California or the USA, you will still have to comply with it, provided you meet at least one of the following criteria:
- You have an annual revenue of $25 million or more.
- You collect, buy, or sell personal information of 50,000 or more California residents, households, or devices (yes, you read it right. The number of devices also counts.)
- You generate at least 50% of your annual revenue by selling the personal information of California residents.
According to CCPA, the sale of personal information covers selling, renting, releasing, disclosing, and transferring data through electronic and non-electronic modes (writing, oral communication, etc.). The non-electronic mode is a very important thought because it helps close almost all possible loopholes. The sale of information may or may not include monetary benefits, which again helps provide maximum consumer protection.
CCPA does not apply to most nonprofit organizations and government entities. However, the nonprofit organizations controlled by businesses to which CCPA applies will have to adhere to this data privacy law.
CCPA also does not apply to businesses already covered by similar state or federal laws such as HIPAA, GLBA, and FCRA.
What happens when you don’t comply with CCPA?
If the noncompliance is intentional, you may have to pay $7,500 as a penalty. Cases in which the noncompliance is unintentional may invite a fine of $2,500.
In addition, you may have to pay $100 to $750 as statutory damage to the consumer. If there is a data breach, the penalties can multiply manifold and are usually decided by the California Attorney General.
Along with financial penalties, consumers may file a civil suit against your company in case their sensitive personal information is leaked (even if it was due to a breach).
How to comply with CCPA?
Here are some basic things you can do to ensure CCPA compliance:
- Inform your users about the data you are collecting and why you need it. Inform them before and during the data collection process so they know what they are doing.
- The page where you are collecting the personal data must have an option where your consumers can opt out of getting their information shared with third parties. The easiest way to do this is to have a button labeled ‘Do not sell my personal information’. It will be easier for consumers to opt out if they want to.
- If you are collecting the personal data of minors, you must obtain consent from parents or legal guardians.
- When approached by a consumer, you must disclose the information you have collected and how you have used it. You must provide data for at least 12 months, and you can’t charge your consumers for this.
- You must ensure that your website, services, and information are equally available to all your consumers, whether they let you use their personal information.
- You must strengthen your data security system to prevent the breach of personal information. This can save you from getting sued for negligence.
CCPA Data Privacy Course
Introduction to the California Consumer Privacy Act.