CCPA: All About the California Consumer Privacy Act -
To kick off the year ahead to begin the new year, it was announced that the California Consumer Privacy Act (CCPA) officially went into force on January 1st in 2020. This historic state-level privacy bill was unanimously passed and signed into law in the summer of 2018, and firms are already working on adhering to the rules by the compliance deadline of July 1st, 2020.
Do you have the right tools to be CCPA conforming? Keep reading to learn more about the CCPA, the requirements, and the steps you must take to be compliant, regardless of where your business is located.
What is the CCPA?
The CCPA grants Californians the right:
- Find out what information about you is being collected, utilized, shared or sold, both as for the various categories and details of your personal information.
- The deletion of personal information is the responsibility of businesses and by extension, a business's service provider.
- You can opt-out of selling personal data. Consumers are able to direct any business selling private information to cease selling the information.
- Children younger than 16 must provide opt-in consent in conjunction with a parent guardian consenting for children under 13.
- Price non-discrimination or services when a customer exercises a privacy right pursuant to CCPA.
Who does the CCPA have an effect on?
Do you operate an online retailer? Pay your attention. If you're thinking that the CCPA doesn't apply to you due to the fact that you're not based in California Pay even more attention.
The CCPA applies if you're a not-for-profit company, or collect or control any information regarding a California resident and you meet all of the following criteria:
- Are your gross annual earnings exceeding $25 million
- Buy, get, or sell personal information of more than 50,000 consumers homes, individuals, or devices
- Derive at least 50 percent of your annual income from the sale of the personal details of consumers
- Manage personal data of more than 4 million consumers; which will require more requirements
What constitutes "personal information" in the context of the CCPA?
Good question! If you're asking if personal information has changed under the CCPA It has.
The CCPA extends its definition of "personal personal information" to encompass any information that "identifies or is related to, describes or is susceptible of being linked to or could be reasonably linked, directly or indirectly, with a particular consumer or family."
This broadens the scope of personal information under California Law to include IP addresses, browsing histories as well as information about internet searches such as location information, job data, educational information and more. The CCPA further states that "inferences drawn" from personal information data to "create an image of consumers that reflect their preference, characteristics, psychological tendencies, interests or predispositions attitudes, intelligence, abilities and talents" are considered to be personal data as well.
What can you do to ensure you are CCPA in compliance?
Is your data a mess? Time to fix it. If you want to become CCPA compliance, you have to know where to look up and provide personal data about California residents upon request. Are you working with third-party processors e.g. online shopping platforms? If so, do you know the way they use your customers' data? It's time to find out. Because the CCPA is so similar to GDPR (although there are some key difference) is it a good suggestion to remember any sources or processes that you employed to become GDPR compliant.
Another aspect in the CCPA is that it raises the opt-in age for the collection of information. Before it was the Child's Online Privacy Protection Act required consent from a legal guardian in order to gather data about those under 13. The CCPA raises that threshold to. Now, users under 16 are required to register. However, those who are between the ages between 13 and 16 are able to sign their own permission rather than requiring a parent's permission.
If you're concerned that your business won't meet the requirements by the time you have to, you're not alone. Only half of the concerned businesses anticipate being in compliance by the time they reach the deadline. Good news? While the law takes effect in January, enforcement won't be in place for another six months. So you still have time to be prepared.
How will the CCPA impact business in the future?
There are still some not-answered questions regarding this aspect. However, it's possible to say that while California is the first state to implement a similar measure to GDPR, it won't be the final one. The world's fifth largest economy and where California is leading, other states often follow.
If your business isn't currently required to carefully manage consumer information and make it available on request, there's a great chance it will be soon. Is your data management good enough? What do you know about the third parties that have access to your data? It's moment to conduct some research. Get started data mapping now so that you do not get stuck in a jam at a later date.
