Learn About CCPA in Two Minutes
In recent times, it has been said that data is the new oil. This quote stems from the rapid success of data-driven tech companies. At first glance, it seems true that data is the new oil since the world’s most valuable companies are hugely data-driven. Upon closer investigation, you realise that unlike oil, handling data is far from straight-forward. After collecting it, a business would need to analyse it, and use the conclusions gleaned to increase revenue. After a series of high profile data breaches, the handling of data by companies has been called to question. This has led to the introduction of stringent data laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA).
What is CCPA?
This CCPA is a data privacy law. It gives residents of California the right to view, authorise the use of, and delete data that companies collect about them. Consumers can sue companies subject to data breaches that have compromised their data. This law also requires companies to notify consumers of these rights. It operates on an opt-out basis, meaning that a company will use your data as disclosed in the privacy policy unless you opt-out.
When Does the CCPA Take Effect?
The California Consumer Protection Act took effect on January 1, 2020. Prosecution for non-compliance won’t begin until July.1, 2020.
What Are the Requirements Laid Out by the CCPA?
Your business should inform data owners up-front of all categories of personal data it is collecting and how this data is used. Personal data includes;
- Identifiers such as names, alias, postal address, unique personal identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers.
- Customer records information. Such information includes physical characteristics description, education, employment, credit or debit card number, other financial information, medical information etc.
- Characteristics of protected classifications. These include race, religion, sexual orientation, gender and age.
- Commercial information. Examples are records of personal property, products or services purchased, obtained or considered.
- Biometric information such as hair colour, eye colour, fingerprints, retina scans, facial recognition, voice or other biometric data.
- Electronic network activity information, such as browsing history.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory or similar information.
- Inferences that could be used to create a profile reflecting a consumer’s. These include preferences, characteristics, behaviour, attitudes, Intelligence, abilities etc.
Your business should give data owners the right to know what information about them it has collected in the previous 12 months.
Your business should give owners the right to deny the consent for sales of personal information. An opt-out link should be prominently displayed.
Upon receiving a request to delete a consumer’s information, you should remove it. This also holds for third parties you share such information with.
Your business should not discriminate against consumers who have exercised their CCPA rights. For example, you should not deny them services, charge more or force them to opt-in to access any services.
What Are the Penalties for Violation?
The penalties for infringement are a minimum of $7500 per violation. There is no limit on total penalties. This should give you enough incentive quickly comply because the fines and penalties can easily run you out of business.
Who Should Comply With the CCPA?
The California Consumer Protection act applies to entities meeting the following criteria;
- For-profit businesses.
- Entities doing business in California.
- Entities that collect or have collected personal data from California residents.
- Entities that determine the purpose and means of processing that information.
- Entities that buy sell or share personal information of 50,000 or more consumers per year.
Businesses both directly and indirectly doing transacting with California residents are affected. For instance, holding companies and subsidiaries of entities need to be compliant with the CCPA.
Who is protected by the CCPA?
Consumers and employees protected by the CCPA are those who qualify as California residents under the state’s tax laws. This means they are relatively permanent residents of the state.
How to Comply With the CCPA
The first step in compliance is to get familiar with the requirements discussed in this article. The second is to map your data and its flows, see how to best comply with the outlined regulations. You need to consider third and fourth parties that you share data with since they too need to be CCPA compliant. Implement all the necessary procedures to give data control to your consumers, and you should be good to go.
Data may or may not be the next oil, but the penalties for non-compliance with data laws are sure to be steep. These laws are here to stay. Look at compliance less as patching up a liability, but more as a future asset. In the future consumers will favour companies that respect their privacy, so why not start building that image now?