The California Consumer Privacy Act 2018 (CCPA) gives California consumers greater transparency about how their personal data is handled.
According to the CCPA, California residents have the right to:
- Know when their personal data is collected by a business.
- Know when their personal data is sold to a third party or shared with a third party.
- Postpone the sale of their personal data.
- Their request to delete their personal data should be respected.
California’s prominent move to privacy laws reflects the consumer data protection position outlined in the GDPR and Canada’s proposals in Act C-11.
Guidelines for compliance with CCPA are described in CCPA regulations.
The CCPA was signed into law in June 2018 in response to growing cases of businesses exploiting data privacy, whether through flawed data handling policies or data breaches.
CCPA regulations offer California businesses guidance on how to best adhere to this law.
California was the first state to implement such strong laws for data collection and processing, and its data security framework is likely to become an outline for all other states.
Privacy laws Similar data are being considered or are already being implemented in Nebraska, New York, And Washington.
To learn how this law affects your business and how to comply with CCPA, read on.
Who must obey the California Consumer Privacy Act?
The CCPA applies only to for-profit businesses that have business operations in California and meet one of the following criteria:
- Gross annual income of $ 25 million or more.
- Processing personal information for at least 50,000 California residents, households or devices (including buying, receiving or selling data).
- Attributed the sale of personal data of California residents to at least 50% of their gross annual income.
CCPA compliance is not limited to businesses located in California.
Any business located outside of California must still comply with CCPA regulations if it is:
- Offers California residents the opportunity to purchase their products or services,
- Collects all personal information from California residents (such as Internet visitors’ IP addresses), or
- Shares branding with a business committed to CCPA.
How does the CCPA define personal data?
The strength of this law depends on the classification of CCPA personal data.
According to the CCPA, a consumer’s personal information includes any information that identifies, connects or relates to a person and / or his or her household.
This includes the following categories of personal information:
- E-mail addresses
- Social Security numbers
- Listings of purchased products
- Web browsing history and search history
- Geographic location data
- Biometric data
- Driver’s license numbers
Or any conclusions from other sources that can be used to create a profile on a person’s preferences and characteristics.
How is the CCPA different from the GDPR?
The CCPA has a broader classification of personal data compared to the EU GDPR. Unlike the GDPR, the CCPA extends the threshold of its privacy practices to households as well.
This means that any information subject who may identify a person or household may be liable for CCPA regulations.
Another difference between the two regulations is that the General Data Protection Regulation (GDPR) applies to any organization that sets up a stockpile of private information for EU citizens.
However, compliance with CCPA is only expected from businesses that meet each of CCPA’s three thresholds. -> Anchor link to ‘Who must obey’
CCPA and current California law for information breach notices
The CCPA does not affect the current data breach notification obligations under Section 1798.82 In the state of California.
Businesses and state agencies must still notify California residents whenever their unencrypted personal data is purchased by an unauthorized entity in a data breach.
Businesses that suffer a violation that affects more than 500 California residents must file a single sample copy of the violation notice to the California Attorney General. This message should not include any personally identifiable information.
Businesses need to send data breach notices Through this online portal.
California residents have the right to access any data breach notices through This search engine.
How should businesses respond?
In response to the flexible security expectations that still apply to all California businesses, the following steps must be taken to reduce information breaches.
- Review of binding cyber security frameworks – Businesses should check all the binding cyber security regulations in their industry such as HIPAA, PCI DSS, COBIT, NIST, ISO etc.
- Implementing cyber security frameworks – Even in the absence of mandatory compliance, implementing popular cyber security frameworks can significantly increase cyber resilience levels.
- Secure third-party attack surface – 60% of data breaches are the result of a third-party hit. A third-party attack monitoring solution will address any third-party vulnerabilities and increase the risk of third-party supply chain attacks and data beaches.
- Check Event Response Plan – Make sure event response plans support rapid containment of data breaches and messages.
How to meet CCPA requirements
Each of the CCPA key guidelines listed below is supported by a summary of how businesses need to respond to achieve compliance.
Automatic disclosure of personal data processing practices
Under the CCPA, businesses must:
- Inform consumers about the categories of personal data collected at, or before, the date of collection.
Businesses must also update the following information in the data collection policy on their website every 12 months:
- A detailed description of consumer rights under the CCPA. This should include the right to delete data and the right to revoke their consent to the sale of personal data.
- A detailed description of how to submit data deletion requests.
- Honest listing of all categories of personal data sharing and sales practices in the last 12 months.
Businesses are not obligated to honor requests for disclosure of personal data handling practices from the same customer more than twice in a 12-month period.
How should businesses respond?
In response to this directive businesses need:
- Publish a description of consumer rights under the CCPA and make this information easily accessible from the home page.
- Post private messages describing the commercial motives behind the collection and sale of personal data.
- Establish an internal policy to accurately respond to all CCPA privacy protection inquiries.
- Assimilation of processes that accurately identify the categories of consumer data collected, shared and sold.
Consumers have the right to request a complete deletion of their personal information
According to the CCPA, consumers have a private right of action to request the deletion of all personal data collected.
In most situations, businesses must respond to these requests immediately, but there are exceptions in the following scenarios:
- When this data is necessary to complete a transition or to provide a service requested by the customer.
- When this data is required to debug or correct the expected functionality of the product.
- When this information is necessary for the detection or investigation of cyber threats.
How should businesses respond?
In response to this directive businesses need:
- Establish internal processes to quickly honor consumer requests for personal data deletion.
- Create trusted communication channels to respond to data deletion requests.
- Create an internal document that outlines plausible scenarios in which deletion requests are denied.
Consumers have the right to revoke their consent to the sale of personal information
The CCPA allows consumers to revoke their consent to the sale of their personal data at any time.
Before selling a customer’s identifying information, businesses must provide sufficient notice to consumers affected by their intention to sell, along with instructions on how to revoke the consent to the inclusion of their data in the sale.
Any third-party service provider who has purchased consumer data, may not resell this data unless the affected consumers have been given clear notice and given the opportunity to revoke their consent to the sale.
How should businesses respond?
In response to this directive businesses need:
- Include a link on their home page titled “Do not sell my personal information” that directs users to a web page that explains how to revoke their consent to the sale of their personal data.
- Do not require consumers to create an account in order to fulfill their intention to revoke their consent.
- Establish procedures for monitoring all requests for revocation of consent.
All consumers have the right to equal service and non-discrimination
If a consumer, or site visitor, chooses to exercise his or her reasonable security rights listed in the CCPA, the applicant should not:
- Impair the availability of goods and services to the consumer.
- Reduce the quality of customer service to the consumer.
- Charge the consumer different rates.
- Prevent such consumers from using the discounts or coupon codes available to all other consumers.
Penalties for non-compliance
Organizations have up to 45 days to respond to all consumer requests under the CCPA.
If these requests are not made within 30 days, the offending business may be fined a maximum of $ 7,500 for each violation.
Consumers affected by unauthorized handling of their data as specified in the CCPA can exercise a private right of action entitling them to restitution compensation of $ 750 per violation.
