How the California Consumer Privacy Act Affects Your Business (Even If You’re Not in California)
Time seems to be speeding up these days, and even with calendar notifications popping up every two seconds, things tend to fall through the cracks more than we’d like. For instance, are you up-to-date with the General Data Protection Regulation (GDPR)? It went into effect last year. And what about the California Consumer Privacy Act (CCPA), which went into effect as of January 1, 2020?
Even if you were aware of them, they’re brand-new regulations so it’s understandable if you haven’t gotten caught up. But not to worry – we’re going to dive into the CCPA today and explore how you can ensure your company stays in compliance.
What Is the CCPA?
The CCPA is a piece of California legislation designed to give California citizens stronger data privacy rights than any other state. Initially enacted in 2018, with changes going into effect in 2020, the law protects consumer rights regarding access to, deletion of and sharing of personal information collected by businesses.
Similar to Europe’s General Data Protection Regulation (GDPR), the CCPA protects consumers’ major rights when it comes to online data and commerce. As of January 1, 2020, these are the protections set in place under the CCPA:
- Right to notice: Businesses are required to notify customers what type of personal information they collect and the purpose for which it is used.
- Right to access: Consumers have the right to access their personal information. Consumers also have the right to request that an organization disclose what information has been collected, where the information came from and the purpose of collecting the information.
- Right to opt out: Consumers have the right to opt out of having their personal information sold by businesses. Children between the ages of 13 and 16 must opt into having their personal information sold. Children under the age of 13 must have a parent or guardian consent to the use of that child’s private information.
- Right to deletion: Consumers have the right to request that an organization delete their personal information.
- Right to equal services and prices: Companies are prohibited from discriminating against consumers based on private information gathered.
How the CCPA is Impacting Businesses
The CCPA has created new obligations for businesses, and it is important to fully understand how the CCPA can affect the way your organization does business. Here are several things that you should be aware of now:
- All companies that serve California residents and have at least $25 million in annual revenue must comply with the CCPA. If your company does any business at all with individuals who live in the state of California, you must be compliant, even if your business is not located in the state.
- Companies of any size or revenue that have personal data on at least 500,000 people and earn more than half of their revenue from selling personal data must also comply.
- Companies need to comply as of January 1, 2020, but full enforcement of the law is not until July 2020.
- Insurance institutions, agents and support organizations are exempt because their regulations are under a different California legislation.
When it comes to the deletion of information, you should always be ready to clear out any data upon request. However, this does not mean that you always have to comply when a request is made. An organization is allowed to deny a request for deletion of information if the information is needed to:
- Identify or repair errors that impair existing intended functionality.
- Exercise free speech, ensure the rights of consumers to exercise free speech or exercise another right protected by law.
- Engage in public or peer-reviewed scientific, historical or statistical research for public interest.
- Comply with a legal obligation not otherwise mentioned.
How You Can Stay in Compliance with the CCPA
Staying in compliance with the CCPA isn’t difficult if your organization fully understands this law. Here are some ways your company can be in compliance with the CCPA:
- Provide notice to consumers that your organization is collecting data. Notifying customers can include updating privacy policies about the type of information that is collected and consumer rights.
- Create procedures for responding to requests from consumers, including requests about what kind of data is collected, requests to opt out and requests to delete information. Organizations are required to have at least two ways for consumers to make these requests. When a request is made, organizations are required to verify that the consumer is who they say they are. Once verified, an organization has 45 days to provide the information requested by the consumer.
- Ensure that all individuals who handle customers’ data know and understand all regulations.
If your organization is found in violation of any part of the CCPA, you will have 30 days after being notified to correct the problem and comply with the law. If any organization is found to have intentionally violated the CCPA, it can face a monetary penalty of up to $7,500 for each violation. Furthermore, the CCPA makes it allowable for a consumer to sue an organization if there was a breach in data security. Organizations could pay penalties of $100 to $750 per consumer per incident.
Because other states are drafting similar regulatory laws, organizations can prepare themselves by following the CCPA and GDPR regulations. Nevada and Maine have already enacted their own regulations, and many more states have bills in progress.
Understanding the Nuances
Although the CCPA is a somewhat revolutionary piece of legislation in the United States, with California being the first state to enact such a law, the concepts of the CCPA are not new. It is closely modeled after the GDPR, and with a vast amount of e-commerce being global in today’s world, most organizations are already on track to be in compliance with these sorts of data regulations. However, it’s crucial that you protect your business by understanding the nuances in these regulations and keeping your organization safely in compliance.
KnowledgeCity’s course “GDPR and CCPA” covers both of these sweeping regulatory laws in great detail so that you can make sure that your business is operating at its peak ability rather than being hindered by complex data regulation laws. The course explores what each regulation is, who must comply, how one can comply, as well as consumer rights. With these changes happening rapidly, it’s important to stay up-to-date with courses like these so that your organization does not fall out of compliance.