The California Consumer Privacy Act (CCPA) is a law passed by the state of California to give its residents the right to transparency and control over their personal information that is collected and used by businesses. It was signed into law on June 28, 2018, however, it was not effective until January 1, 2020. This means that businesses must show CCPA compliance or they could face a costly violation. The CCPA has since been amended by the California Privacy Rights Act (CPRA), which provides more comprehensive regulations. The CPRA will supersede the CCPA and be enforceable beginning January 1, 2023.
How CCPA Impacts Businesses and Consumer Privacy
The CCPA defines personal information as data that identifies, relates to, or could reasonably be linked with you or your household. For example, personal information could be as simple as an email or phone number, or more complex things like internet browsing history or records of purchased products. The CCPA goes beyond the standard U.S. privacy protections and is reflective of the European Union’s General Data Protection Regulation (GDPR). Ultimately, these changes are a wave of the future and cannot be ignored. Following these guidelines not only keeps you legal, but also encourages businesses to handle personal data responsibly. Additionally, it gives customers more control and visibility of how their personal information is processed.
The CCPA was rushed into law, as it passed only seven days after being drafted. Consequently, the CCPA was incomplete and full of gaps. As a result, the California Privacy Rights Act (CPRA) was drafted and passed into law to fill in those holes. The CCPA and CPRA are both active and effective legislation.
Who does the California Consumer Privacy Act Apply To?
The CCPA applies to specific types of for-profit businesses that handle the personal information of California residents, who fall under its protection. Nonprofits and government agencies are excluded from violations.
The for-profit businesses that do business in California and meet one of the following are liable:
- Gross annual revenue of over $25 million.
- Buy, receive, or sell the personal information of 50,000 or more California residents’ households, or devices.
- Obtain 50% or more of annual revenue from selling California residents’ personal information.
California residents have the following four privacy rights connected to the handling of personal information by businesses:
- Right to Know: Transparency on how personal information is collected and used by businesses.
- Right to Delete: Ability to delete personal records collected by a business.
- Right to Opt-Out: Can refuse permission to use personal information for sales purposes.
- Right to Non-Discrimination: Individuals under CCPA must have equal service from businesses.
What happens if you are not CCPA compliant?
Companies have 30 days to comply with the law once notified of a violation. If the issue isn’t resolved, the offending business can receive civil fines as much as $7,500 per record in violation.
However, individuals cannot sue a business for most CCPA violations unless the violation is connected to a data breach. Under CCPA regulations, individuals can sue a business for a data breach if personal information stolen contains a name combined with other personally identifiable information. Maximum personal suits can be up to $750 per incident or more if actual damages are higher.
CCPA Compliance Checklist for Websites
Now you know what the California Consumer Privacy Act is, who it applies to, and how costly it can be for those in violation. Here’s a list of ways to help keep you compliant with the CCPA law. This is not a complete list, but is directly applicable to most websites that fall under the CCPA.
- Have a “Notice of Collection”: This informs users when a website may collect information that is considered personal, and the ability to opt out of this and any option that would give permission to sell this data.
- Create a Method to Handle Requests: Whether requests come from a web form or a phone call, they must be documented, and processed and, when finished, the person who made the request must be notified. Remember, some changes need action within 30 to 45 days, so you cannot delay in acting on requests.
- Process Minor’s Information Appropriately: Selling and sharing the information of minors must follow special requirements, like having opt-in consent from minors between 13 and 15 years old, or from legal guardians if the minor is younger than 12. Penalties are tripled for violations of those who are minors 16 and under.
- Schedule Website Changes: Work with your tech team or web designers to implement the notice of collection, update documentation and policies, as well as other topical or code changes to reflect compliance.
- Audit Your Security: As stated earlier, hefty fines and personal lawsuits are applicable when these violations are connected to data breaches. Consult with your IT Team or network managers to revamp security that protects sensitive information from being compromised.
In addition to the tips above, consult with professional legal counsel to create a comprehensive compliance plan for your business. Beyond this, it’s important to have CCPA requests processed appropriately over the phone or through a special website form to accommodate individual needs and satisfy the law.