The California Consumer Privacy Act (CCPA): An Introduction to Compliance
6 minutes | Word Count: 1081It seems January 1, 2020, will be here anytime soon then we imagined. CCPA is coming to effect, putting strict guidelines than the USA has when it comes to the collection and processing of personal information.
CCPA – California Consumer Privacy Act is a bill which is intended to improve the privacy rights and consumer protection specifically for the residents of California, United States of America.
The CCPA bill was signed by Jerry Brown, the Governor of California and was passed by the California State Legislature on June 28, 2018. The bill was to amend Part 4 of the California Civil Code. Additional substantive amendments were signed on October 11 2019.
How do you comply with the California Consumer Privacy Act?
Companies that already comply with GDPR are supposed to meet the requirements of put outlined in CCPA.
Subject to the varied number of exceptions, the CCPA bill implies every business, which is collecting and selling consumer personal information as well as discloses personal data for business reasons.
CCPA applies to the companies/ legal entities doing business in California who are collecting personal information regarding California residents. Companies that sell goods or services to California residents, even if the business is not physically located in California.
To fall within the scope of the CCPA bill, businesses must meet one of the additional 3 criteria:
- The business has $25 million or more in annual revenue
- It should possess the personal data of more than 50,000 “consumers, households, or devices.”
- Earn more than half of its annual revenue selling consumers’ data
The businesses/companies who come under the CCPA bill will have to consider below mentioned pointers:
Ensure that your decision-makers and key stakeholders know:
- What happens when CCPA will become effective from January 1, 2020
- What CCPA is all about and whom does it applies
- How CCPA will affect your business practices
Document and organize your customer information so that your company knows:
- What kind of personal information is collected from your consumers?
- In which form the personal information is collected
- Where all personal information is being stored
- For what reasons personal information is being collected
- Where all personal information is being shared
This helps businesses to set up an effective system for information retrieval when a consumer or an auditor requests for the detailed info.
Review and update your privacy policies
- A GDPR Privacy Policy will meet CCPA requirements, but it is not mandatory /compulsion that a CCPA policy must be GDPR-compliant. Ensure that the CCPA privacy policy is clearly defined and easily distinguishable from GDPR regulations.
- It is extremely helpful if you have trained your employees who are interacting with your customers on a day to day basis. They can educate them about privacy policies and CCPA compliance to enhance trust and increase customer engagement.
- Ensure that your customer engagement after CCPA compliance, privacy, and consent is in place
Is the California Consumer Privacy Act (CCPA) like the GDPR?
No. Both are different in their own respective ways. Obviously, there will be some common pointers, but they are not the same. GDPR is Eu’s General Data Protection Regulation, which has already been effective from May 25, 2018, and on the other side, CCPA is California Consumer Privacy Act is specifically designed and will imply on the California businesses. The law will come into effect from January 1, 2020.
We have highlighted a few of the significant points which differentiate both.
To start with
1. Transparency
CCPA law requires businesses/ legal entities to be transparent when it comes to handling customer’s personal information and data.
Failing to comply with the law can lead to severe punishment, which can be $2500 per violation and $7500 if the violation was intentionally made and have damaged it further.
2. Disclosure
California Consumer Privacy Act requires businesses entities to disclose below mentioned pointers on or before collecting customer’s data:
- What type of personal information are you collecting?
- What is the source or the medium used to collect personal information?
- The reason behind collecting the personal data
- The reason behind selling personal information
- Which all 3rd parties will receive the personal information
Upon the request from the customer, the business shall have to show how and where the personal data was collected and stored. This means the information should be readily available when asked to disclose anytime. In most of the situations, businesses are supposed to delete customer’s personal data upon request.
3. Consent
The CCPA regulates the consent, which says, “Do not sell my personal information” link on the company website’s home page. This link should be clearly visible to the customers, offering them to opt-out of data sharing.
For the customer who is minor (16 years or younger), this is believed to be an “Opt-in choice”.
Additionally, businesses are not supposed to discriminate against their customers based on their data.
How does the CCPA handle data loss?
Identity theft caused by the breach of personal information or relevant risk permits a federal action against the data controller.
We have put up approximate costs, which include: Plaintiffs seeking statutory damages, which could be anything between $100 and $750. Actual damages can only be recovered if they exceed the statutory damages. Actions can be aggregated depending on a class action suit. However, these issues can be curbed when you have compliance-ready software installed.
Pointer: If the California Consumer Privacy Act feels burdensome to your organization, consider it an opportunity. Privacy is valuable to customers. Therefore, successfully implementing CCPA requirements on time can give a leading edge to your brand. Thankfully, compliance-ready software solves a lot of your compliance challenges. Here are some examples of how it works.
Challenge: A survey concluded that approximately 300 American companies from various segments and sizes required help in getting “External certification of validation” in regards to CCPA regulations
Solution
Security measures, as well as privacy, is a challenge even legally. However, this challenge can be resolved using technological solutions. Professional experts working in CLAM – Customer Identity and Access Management can help your business meet your compliance needs.
Professional experts can help you implement major privacy regulations, including the GDPR and the CCPA, using technological solutions. The company keeps updated with the ever-evolving regulations as well as new international privacy laws.
Conclusion
All business entities need to work towards a safe and healthy relationship when it comes to data collection and privacy, along with staying updated regarding new CCPA regulations.
Companies should start formulating the compliance strategies before the law comes into effect on January 1, 2020. In the meantime, keep checking for the latest update and guidance related to the Act.