STAMFORD, CONNECTICUT. (January 8, 2020 ) – On January 1, 2020, California becomes the first state to enact a data privacy law that will give its citizens the right to control data that is collected about them by businesses. Though only state law, the California Consumer Privacy Act (CCPA) will affect how businesses across America and the globe collect and share data. With 40 million residents and the fifth largest economy in the world, California strongly influences the rest of the country’s laws and business practices. The CCPA also applies to businesses that operate outside of California if those businesses collect and sell data about Californian residents.
As the first state law of its kind, but presumably not the last, it’s important for businesses to understand if they’re required to operate in compliance with the law, and if they are, how they can achieve compliance. In this article, we’ll go over who needs to comply with the CCPA, what rights the law gives to consumers, and how businesses can achieve compliance in their operations.
Who Needs To Comply With CCPA?
The CCPA affects and applies to many businesses across the United States and the globe even though it is a California state law. If a company collects any data from residents or devices in California, they may be subject to compliance, even if they do not operate in California. As outlined in the law, the CCPA requires compliance from companies if one of the following three attributes is met:
- The company has an annual gross revenue of over $25 million.
- The company earns 50 percent or more of its profits from selling consumers’ personal information.
- The company buys, receives, sells or shares personal information from 50,000 or more California residents, households or devices per year.
The CCPA defines ‘personal information’ as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
According to this definition, personal information could be things such as:
- Personal identifiers: name, social security number, address, driver’s license and passport numbers
- Web-based identifiers: IP address, cookies, beacons, pixel tags, account names
- Bio-metric Data: face, fingerprint, DNA and voice recordings
- Geolocation Data: location via device or search history
- Internet Activity: browsing and search history
- Sensitive Information: personal characteristics, sexual orientation, religious or political convictions, etc.
This means that if you are a small business that doesn’t have over $25 million in revenue, sell data for more than 50 percent of your profit or sell more than 50,000 Californian’s personal information, the law does not apply to you. If the law does apply to your business, then it’s important that you understand what rights the CCPA gives to consumers and how your business can comply with the CCPA.
What rights does the CCPA give to consumers?
The CCPA gives consumers ownership of personal information collected about them, defined in a framework of three main exercises. Under the CCPA, consumers have the right to:
- Opt-out of having one’s personal information collected and shared with third parties.
- Disclosure of what information has been collected about them in the previous 12 months.
- Deletion of that data.
It also includes age-specific regulations. Under the CCPA, businesses need to have parents or legal guardians opt-in to share personal information collected about persons under the age of 13. Likewise, persons between the ages of 13 and 15 will need to opt-in to give businesses the right to share their personal information.
The CCPA is different from that of the European data regulation (GDPR), mainly in that the CCPA allows businesses to use consumer data until a consumer has opted-out, whereas the GDPR requires businesses to wait to use consumer data until a consumer has opted-in. While the overall intention is the same, the European law is much broader sweeping, protecting all European citizens, wherever they are in the world, whereas the CCPA only protects Californian citizens.
How do businesses comply with the CCPA?
The main thing to remember about business compliance with the CCPA is that your business must provide ways for consumers to control their data and exercise their rights concerning the disclosure and deletion of data collected about them. The official requirements can be read on the California State website, but we’ve compiled this non-exhaustive check-list to give you an idea of what your business needs to do to comply with the CCPA.
Under the CCPA, businesses must:
- Provide a ‘do not sell my personal information’ link on their website that allows consumers to opt-out of third-party data sales.
- Notify consumers before or with the point-of-collection what types of data they collect and how they use that data.
- Cease the sale of data of those who’ve opted-out within 15 days and notify all parties it has sold that data to within the past 90 days.
- Receive opt-in consent from legal guardians of consumers under the age of 13 and receive opt-in consent from consumers between the ages of 13 and 15.
- Provide consumers with records of what personal information has been collected about them free of charge if requested.
- Respond within 10 days of receipt of disclosure or deletion requests with how the request will be handled. Substantive responses must be given within 45 days.
- Only offer reasonable financial incentives (sales, offers, different prices or quality) to those who opt-in if it is related to having access to the consumer’s data.
- Refrain from discrimination based on consumers’ exercising their rights under the CCPA.
If businesses that fall under the regulation of the CCPA fail to comply with the rights outlined, it can result in fines of up to $7,500 per violation and up to $750 per affected user in civil damages for businesses. The enforcement of the law falls under the jurisdiction of the Attorney General of California, who has until July 2020 to show exactly how citizens can exercise their rights. The proposed enforcement of CCPA regulations is available here.
As stated above, what is outlined in the blog is just that, an outline. If you’re concerned about how your business is complying or failing to comply with the CCPA, Adfire Health can help you understand how your business can be in full compliance. Email us at firstname.lastname@example.org for more information.