California Consumer Privacy Act: What to Know About CCPA Compliance
The California Consumer Privacy Act (CCPA) officially took effect on January 1, 2020. This new law is another indication of the world’s recent focus on data privacy and protection, which has spurred many other regulations and statutes.
For example, not long ago, we saw the implementation of the General Data Protection Regulation (GDPR). Put in place in 2018, this European Union (EU) law had many organizations around the world scrambling to meet its restrictive standards. From creating cookie and privacy policies to ensuring compliance with data storage and use regulations, companies that worked within the EU had to shift some of their business practices vastly.
For smaller organizations in the United States, the GDPR didn’t cause quite the level of fuss as it did for multinational corporations. However, this new act out of California may just be the beginning of a massive overhaul of data management and protection policies on this side of the Atlantic.
The CCPA has the potential to upset marketers and technology experts in businesses of all sizes — especially since experts expect it to unleash the floodgates for other states to declare their data privacy standards.
What is the CCPA?
The consumer privacy act, AB 375, was passed in 2018 and outlines the rights of consumers surrounding the collection and use of their data. According to the California Department of Justice, these rights include:
- The right to know what personal information is collected, used, shared, or sold
- The right to delete personal information held by businesses and by extension, a business’s service provider
- The right to opt-out of the sale of personal information
Ultimately, the CCPA Provides Ownership, Control, and Security Over Personal Information.
On top of these rights, the law also imposes several business obligations on companies. For example, businesses subject to the CCPA must provide notice to consumers at or before data collection.
Businesses must also put procedures in place that allow them to identify and respond to consumer data requests. These requests include the rights to opt-out and delete. It also states that businesses must provide a “Do Not Sell My Info” link on their website or mobile app to comply with this requirement.
Who Does CCPA Affect?
Although this is a California law, businesses that are not physically located in the state can still be affected. Any for-profit organization doing business in California that collects, shares, or sells California consumers’ personal data may be affected. If you serve California residents and one or more of the following statements describes your organization, you are responsible for being compliant with CCPA:
- Your business has gross annual revenues over $25 million
- Your business buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices
- Your business derives 50 percent or more of annual revenues from selling consumers’ personal information
GDPR and CCPA Compliance
We previously mentioned the other big data privacy law, GDPR. After CCPA passed, many organizations wondered if the two covered the same things. In other words, if a business was GDPR compliant, were they also CCPA compliant?
Unfortunately, GDPR compliance does not guarantee that your business will be compliant with California’s new regulations around consumer data. On the upside, though, California’s new consumer data policies do mirror the GDPR policies in many ways. So, organizations that have already invested in GDPR compliance may be far ahead of competitors that are just embarking on this journey.
Although CCPA went into effect on January 1, the state will not enforce it until July 1. That gives businesses additional time to ensure their policies and procedures are in place and working. But what policies does a company need to be compliant?
Data consolidation is one of the key initiatives for businesses. Many organizations will want to retain an attorney to work through the various requirements. This will help ensure that the company is fully compliant. Simply identifying all the personal data stored within your various applications can be difficult.
Still, under CCPA, you must also be able to identify the location and uses of the data, who owns the data, who creates it, and more. Plus, individuals must have an easy way to access their data storage preferences and effectively erase themselves from your corporate databases. Tracking systems are crucial for providing individuals information about all of the data collected on them.
There are also the privacy notices we previously mentioned. Businesses must post these on digital channels such as websites and mobile apps. These will let consumers know how their data is being stored and used by the company.
Data breach reporting is another crucial part of CCPA compliance. This is because you’re required to maintain roles and responsibilities for data sets as well.
Although California was the first state out of the gate with a new compliance ordinance, it’s unlikely it will be the last. This will introduce the additional complexity of determining where your users are located and tracking their behavior over time to ensure that you’re delivering the correct privacy policies based on their geographic location.
Data governance is not a new concept. But the level to which the law requires organizations to track minute shifts in information is often costly and time-consuming.
To ensure your organization is compliant, you may want to work with a technology services partner who truly understands the requirements of CCPA and GDPR. With penalties of $7,500 per intentional violation and $2,500 per unintentional violation, businesses cannot afford to ignore their data policies.