In this day and age, data is the most important asset that businesses need to protect. All businesses, big or small, have access to more data than ever. This includes customer data, suppliers’ data, accounting data, and more.
The CCPA (California Consumer Privacy Act) has been brought into existence in the state of California for the protection of consumer data and safeguarding their interests.
In this article, we will discuss CCPA in detail and cover topics such as:
● What is CCPA?
● Difference between CCPA and GDPR
● Which business does the CCPA apply to?
● What is personal information under CCPA?
● What are the consequences of non-compliance with the CCPA?
● Steps to become CCPA compliant
The CCPA act was introduced on the 1st of January, 2020, in the state of California to protect consumers’ personal information. This act allows consumers to investigate what information is collected by a business about them, and how the information is used or shared. A consumer can ask a company to delete or alter their information under Section 1 (AB 1146), if they feel it will have an adverse effect or their privacy will be hindered. For example, a customer may not want his photo to be shared after a hair transplant.
In order to comply with the CCPA, businesses should take the following steps:
● First, find out if the CCPA is applicable to your business.
● Update the privacy policy data as per the CCPA.
● Provide an opt-in option for prior consent of the users to sell their information, and from parents for users who are in the under-age category.
● Provide the option ‘Do not sell my data’ for users to opt-out from selling their information.
The CCPA and GDPR both have the same objective, to protect consumers’ data and information from violation. However, there are a few differences between them as we’ll see below:
The CCPA was effective from 1st January 2020, while GDPR came into existence on 25th May, 2018.
CCPA protects information that will identify, describe, or is associated with the consumer, such as photos or videos. On the other hand, GDPR protects a specific piece of information about a consumer, for example, a credit card number.
The CCPA applies only for the state of California, while the GDPR is applicable to any data subjects who are citizens of the European Union.
Businesses that earn more than $25 million, collect data from more than 50,000 consumers, and generate more than 50% of the revenue by selling data accounts of consumers, come under the regulation of CCPA.
Any business around the globe that deals with private data of EU citizens comes under GDPR.
A fine of $2,500 to $7,500 is charged depending on the decision of the Attorney General of California if any law is violated under CCPA.
The penalty under GDPR can be 4% of the annual turnover of the company, or €20 million depending on which is higher.
The CCPA applies to all big and small businesses. All companies that are in the business of collecting data or information from the consumers need to comply with CCPA.
Specifically, businesses that come under CCPA compliance are:
● Businesses based in California or deals with consumers of California.
● Businesses that are engaged in collecting personal data of the consumers.
● Commercial organizations that make more than $25 million gross profit annually.
● Companies that are collecting and selling data for more than 50,000 users.
● Businesses that generate more than 50% of the revenue by selling data accounts of consumers.
● Additional obligations will be implied including the CCPA if the company is dealing with data exceeding 4 million users.
Businesses exempt from the CCPA are:
● Businesses not from California or those that don’t deal with California.
● Businesses not engaged in collecting data of consumers.
● Nonprofit organizations are also exempt from the CCPA.
● Agencies of credit reporting that come under the Fair Credit Reporting Act.
● Financial Companies that come under the Gramm Leach Bliley Act.
● Health care centers that are under HIPAA (Health Insurance Portability and Accountability Act).
Personal information under the CCPA is anything that describes or is associated with a consumer, household, or device directly or indirectly. Personal information covered under the CCPA includes the following:
Information that identifies a customer such as a name, age, gender, photograph, and other related identifiers.
Information such as signature, social security number, driving license number, bank account, etc comes under customer information of the CCPA.
Information detected and recorded electronically such as fingerprints, eye color, retina scan, and similar other biometric data.
Information such as bank details, transactions such as purchase and sale of goods and services, payment of utility bills, etc are all commercial records of a customer.
This refers to information on how qualified a person is, such as a graduate or a postgraduate.
Professional information refers to what a person is professionally engaged in.
Where people live, which places they visit and check-in, where they travel are information records of their location. The new trend of Facebook, Instagram check-ins are examples of showing the location of where a person has visited.
A company that doesn’t comply with the CCPA can be penalized with charges of thousands of dollars. If a business violates any CCPA law and fails to pay the charges, it risks complete shutdown of the business, website, or channel. Consumers are also in a position to sue companies for breach of their private information after a notice period of 30 days. Another body that can sue the business is the Attorney General of California for the violation of any law of the CCPA.
Here are some specific penalties businesses might incur if they fail to comply with the CCPA:
● Charges from $100 to $750 fined per violation if a company doesn’t prove itself just and fair in front of the consumer.
● A fine of $2500 can be charged by the Attorney General of California if the law was violated unintentionally.
● A fine of $7500 will be charged if the Attorney General feels that you have violated the law intentionally.
Here are some steps businesses can take to ensure compliance with the CCPA at all times:
First, you need to know if your business falls under the category to be compliant with the CCPA. To fall under the jurisdiction of the CCPA, your business should be a commercial organization collecting data of consumers of California and generating income of more than $25 million, making 50% profits by selling data, and selling data of more than 50,000 users.
Be sure to keep an eye on all personal information your business is collecting about your consumers. This includes data collected on your website, data your employees are collecting, and so on.
A data map is a very important part of data privacy management. It shows what data you collect, where it is stored, how secure it is, who has access to the data, and the purposes it is used for.
Consistently review your policies and procedures regarding the handling of personal information in your company. Your employees should not be allowed to download data of customers on their devices. For example, accounting data for audit purposes.
Create a process for customers to opt-out and delete their data from your records. This is an important part of the regulation. Customers can opt-out or delete the sharing or selling of their data. This link should be prominently accessible on your website.
A company should promptly respond to customers if they have any requests to change their data usage. Companies should be able to provide information if the consumer asks about their private information and how it is being sold.
Review contracts with the third party vendors on your policies about managing and using customer data. Determine things that need to be changed related to the privacy policy. Outline the responsibilities that will be handled by the third party and include them in the contract.
The CCPA has strict fines for data breaches. Thus, it’s essential that data collected is fully secured and encrypted. Review your security control measures and make sure they’re sufficient to protect your business against breaches.
Employees must be adequately trained and educated regarding the CCPA. They must be aware of the consequences of mishandling data, and how best to communicate with customers regarding their personal information.
The goal of the CCPA is to protect consumer information from being misused and mishandled. Businesses complying with the CCPA are thus likely to enjoy more loyalty and goodwill from customers.
If you’re struggling to keep up with the various laws and regulations your business must comply with, we’ve got a solution for you. VComply’s GRC software makes it easy for businesses in all industries to manage compliance and governance in a hassle free way.
Explore what makes VComply a consistent G2 high performer in Compliance Management. Request your demo today and transform your approach.
Discover the immediate impact VComply can bring to your compliance program. Move beyond the limits of spreadsheets with a system of record designed for complete compliance management.