Home Compliance Customer Data Privacy Enters America: What’s the California Consumer Privacy Act (CCPA) and CCPA Compliance?

Customer Data Privacy Enters America: What’s the California Consumer Privacy Act (CCPA) and CCPA Compliance?

by CISO NEWS TEAM

What’s the California Consumer Privacy Act (CCPA) and CCPA Compliance?

Data privacy now enters the U.S.! The California Consumer Privacy Act (CCPA) goes into effect in 2020. Here’s what to know about the CCPA and CCPA compliance.

If you think back to 2018, you probably remember a flood of emails related to the General Data Protection Regulation (the GPDR). For a while, the sweeping European privacy law dominated conversations.

It’s time to prepare for the second round in 2020. On January 1, 2020, California’s privacy legislation takes effect – and you need to know whether you must comply.

The California Consumer Privacy Act (CCPA) is an attempt to bring some of the data subject protections that the GDPR offers to the United States. Like the GDPR, it also comes with warnings and fines for those who don’t comply.

What is the CCPA and what do you need to do to maintain CCPA compliance? Keep reading for a short introduction.

What Is the California Consumer Protection Law?

The California Consumer Protection Act (CCPA) is a consumer-oriented law that aims to people back in control of their data.

The CCPA does several things:

  1. It gives consumers ownership of their data
  2. It provides consumers with control over how and when businesses collect their data
  3. It holds companies accountable for protecting consumer data

This is the essence of the law, and if you’re curious about all the details, you can read the full initiative on the California Attorney General’s website.

Simply put, if you run a business with a website and collect data from your customers or visitors, you have a lot to do before January 1st, 2020, when the law takes effect.

Who Needs to Comply with the CCPA?

The CCPA is California state law – not federal law. So who needs to worry about CCPA compliance?

If you serve customers in California, then you need to comply, regardless of whether you have an office in the Golden State. But small businesses shouldn’t panic yet. You only need to follow the new privacy law if your business:

  • Earns more than $25 million in annual gross revenue
  • Holds or obtains personal data from more than 500,000 California residents (or devices)
  • Obtains over 50 percent of your annual revenue from selling the personal data of California residents

In essence, the law targets the big businesses that rely heavily on personal data for their core operations. They’re coming after businesses like Facebook, Google, Target, and other businesses that suffered data breaches or received fines elsewhere for data practices that damage the privacy of consumers.

If you have a small e-commerce site and generate $250,000 a year selling candles and other crafts, then you don’t have to worry about it – at least not so much.

Although SMEs are primarily not the target of the CCPA, you should still be wary of the law. Eleven more states also introduced similar legislation that could directly impact you in the years to come.

The law has significant downstream effects. Even if you aren’t collecting data from Californians but you process it on behalf of a company that does, you may still fall within the law’s scope. If you are a third party, affiliate, or subsidiary processer, check with your clients to learn more about whether you fall under the compliance umbrella.

What Does CCPA Compliance Look Like?

The goal of the CCPA is to promote consumer data protection, not to punish businesses. Privacy, transparency, and accountability are the goals of the law, and all three are great for building customer trust and satisfaction.

A major focus of the CCPA is on consumer rights and privacy policies. Discussing these rights and how you share them in current and future privacy policy is an excellent place to start when initiating CCPA compliance procedures.

What Rights Does the CCPA Offer Consumers?

Before you initiate any reviews or process changes, you need to become intimately familiar with the rights granted by the CCPA.

These rights include:

  • The right to know what data gets collected, sold or shared
  • The right to delete data (right to erasure)
  • The right to opt-out of the sale of data
  • The right to opt-in to the sale of data (only for minors under 13)
  • The right to receive the same service whether they opt-in or opt-out

In other words, you need to share all your data practices so that customers can decide whether they want to participate. For example, if they don’t want you to sell their data, then you can’t sell it, nor can you punish them for opting out.

What is more, these rights dictate how you write your new or updated privacy policy.

What Is a CCPA-Compliant Privacy Policy?

A previous California law – the California Online Privacy Protection Act (CalOPPA) – already demands that you have and post your privacy policy online if you intend to do business with visitors from California.

The CCPA requires you to make some updates to your existing policies.

First, you need to decide whether you will have one privacy policy exclusively for California residents (those protected by CCPA), and one for the rest of the United States or if you want to use a single CCPA-compliant notice for everyone. The different privacy policies reflect the rights afforded to California residents.

It’s a good idea to use a single notice because of the impending legislation in Washington and ten other states. You won’t have to make 12 or more versions of your privacy policy over the next five years.

Once you decide on a strategy, you must update your policy by performing a review of the current policy and how you implement it.

You need to make sure your privacy policy and the systems it represents:

  • Discloses the data you collect, sell, or share for business purposes (including the categories of data collected and the purpose of collection)
  • Explains the CCPA consumer rights, including the right for consumers not to suffer discrimination for exercising their rights
  • Shares how consumers can access their data
  • Identifies the processes for deleting personal data
  • Discusses how and when a consumer can opt-out

It is vital that you not only cover these issues (as per CCPA) in your privacy policy, but that you provide the appropriate mechanisms for upholding them.

You have to do more than change your privacy policy. You have to change your behavior as well, or you open yourself up to fines from the California AG’s office.

Are There Any New Security Requirements?

The CCPA goals mention security, but they aren’t prescriptive. Instead, it expects you to use “reasonable” and appropriate security measures for the volume and categories of data you handle.

You should expect to use baseline security measures like encryption, but beyond this, it’s up to your company to determine what’s appropriate.

Why mention it if the law is so ambiguous?

Think back to the heart of the legislation: consumer protection.

In the past, plaintiffs struggled for legal validation when a company suffered a public data breach and their data was lost. The CCPA tries to fix that by saying that “a violation of the duty to implement and maintain reasonable security procedures and practices” is a violation worth $100 to $750 per plaintiff affected.

The result is likely going to be the option to sue for any public data breach. However, the threat of paying damages in litigation should spur anyone who collects data to step up their privacy, without the California AG telling them to explicitly do so or how to do so.

If I Am GDPR Compliant, then Am I Ready for CCPA?

The answer to this question is both yes and no.

The CCPA is only an introductory phase to “America’s GDPR.” The California law offers similar protections, but it does not go as far in its protections as the GDPR. In theory, if you are already compliant with the GDPR, then you should be on your way to preparedness for the CCPA because there is a distinct overlap with existing GDPR rights.

However, you will still need to address the differences between the two laws. The FPF provides a helpful analysis that describes the essential differences between the two laws.

Perhaps the biggest difference between the two laws (besides scope) is that CCPA requires companies to provide equal access to services and price regardless of whether customers opt-in to data sharing. The EU law also requires this, but it is more implicit than explicit than in the California law.

Are You Ready for the CCPA

The CCPA is on its way and will become law in 2020. Although it’s a California law, it impacts companies (and third parties and affiliates) across the country. The time for CCPA compliance is now.

Even if you don’t fall under the scope of the new privacy law, you should take notice. More laws are coming down the pipeline in other states that could impact the way you do business. More importantly, laws like the CCPA promote good business and data practices. Customers are no longer happy with the wild west-style of data sharing that went on for so long. Complying is both the right and smart thing to do.

Are you ready for the CCPA? Make sure to follow along for more privacy legislation content.

Leave a Comment