Businesses dealing with consumers’ personal details are mandated to abide by data privacy regulations specific to their region. To ensure no consumer data is misused, different data privacy laws, for example, General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), etc., are enforced on organisations.
Compliance with these laws has become even more critical with the increasing volume of data being generated and shared online.
In this article, we will provide a complete breakdown of CCPA and how it protects user privacy.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a data privacy legislation in the state of California that empowers California residents to exert some control over how their personally identifiable information (PII) is collected, stored, and processed by organistaions. It’s enforced on all businesses in California that collect personal information of Californians.
CCPA was enacted in 2018 and enforced on January 1, 2020. California Privacy Protection Agency enforces and implements CCPA regulations on businesses.
Organisations with the following criteria are mandated to comply with CCPA regulations:
- To reiterate, the company has to deal with Californians’ personal data
The company has to comply with the CCPA terms:
- If it generates a revenue of more than $25M annually.
- If it generates over $25M in gross annual revenue
- If it deals with 50,000 Californians whose information is either sold or bought by that company
- if it generates above 50% of its annual gross turnover by selling data of Californians
It means that the annual gross revenue a company generates is the second most significant criterion to determine if it’s obligated to comply with CCPA regulations. Again, organistaions operating with data sharing (for example, AdTech) at the core are also obliged to attain CCPA compliance during their activities.
Companies Subject to CCPA
The CCPA applies to for-profit organisations only. All non-profit organisations, government services, and a number of financial industries are exempted from the regulations. For example, no Californian can exert their “right to delete” and get their account/personal data deleted from the records of a debt-collecting company. It means they must pay debts.
Consumer Rights Under The CCPA
The consumer privacy rights under CCPA:
- The Right to know: CCPA mandates organisations to keep their consumers well-informed about what information is being stored and how it will be used. The “right to know” provision also allows an individual to have clear insight into the:
- Different categories of data the organisation has collected
- The sources from where the aforementioned data categories were collected
- The purpose of data collection, selling, or storing
- What data is being sold or shared with third-parties
- Different categories of data the organisation has collected
- The Right to Delete: According to this provision, individuals have the right to request companies handling their data to delete it from their records. Businesses are encouraged to keep a confidential record of consumer requests for data deletion for compliance purposes.
- Right to Correct: Consumers hold the right to request organisations to correct if there is any inaccuracy in the personal data they have stored. While executing the correction process, the nature of the data being corrected and the purpose of processing it should be taken into account.
- The Right to Opt-out: This provision from CCPA also grants consumers the right to demand a business that sells or shares their personal information to third parties cease this sale or sharing – at any time.
- The right to limit use or disclosure: CCPA empowers individuals with the right to direct businesses that collect and process sensitive personal information to limit its use to what is necessary only to fulfil the defined purpose – at any time.
- The right to non-discrimination: Organisations are strictly forbidden to exert any discriminatory behaviour on those who exercise their rights detailed in the CCPA act. For example, no additional charge can be imposed upon them for regular services.
Obligations on Companies Subject to the CCPA
Companies subject to the CCPA framework are mandated to:
- Draft and provide users with a thought-out privacy policy that clearly discloses the data collection and data sharing practices it adopts
- Respond to any request to access, correct, or delete user information within 45 days of receiving the request from a verified user. Asking for any charge to respond to their request will be considered a violation of the CCPA law.
- Companies must send privacy notice to consumers about their right to opt out of any sale or sharing of their data. If the consumer is a minor, the business must seek consent from the data holder or their parents/legal guardians before selling or sharing their information with third-party services.
- Make sure they access user data to whom it actually belongs – meaning, the consumer’s identity should be verified.
- Companies must enforce stringent data protection measures – encryption, multi-factor authentication, firewalls, etc. – to ensure no personal data can be breached.
What Types of Personal Information are Regulated?
CCPA defines personal data as “Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
CCPA categorises personal data as follows:
- Direct identifiers – names, addresses, email IDs, social security numbers, aliases, passport details, national identity card details, signatures, driver’s licences, etc
- Indirect identifiers – pixel tags, cookies, IP address, account details with a company, beacons, etc
- Biometric authentication details – face, iris, retina, fingerprint, DNA, etc
- Geolocation data – location tracking with devices such as GPS
- Online activities – search and browsing history, data gathered by a website, application, or software while in interaction, etc
- Sensitive data – behaviour, preferences, medical history, religious sentiment, sexual preference, etc
How to Become CCPA Compliant
Becoming CCPA-compliant is a complex task that may take around six months to 12 months to accomplish. It requires a systematic approach, and businesses must follow several steps to be CCPA-compliant.
First off, check if you meet the above-mentioned criteria of CCPA compliance.
That said, any business striving to comply with CCPA has a culture of enabling transparency and accountability throughout its data processing journey. Next up comes the rights CCPA obliges companies to provide their consumers with.
Finally, attaining CCPA compliance is a complex task that needs you to follow a slew of steps:
- Evaluate what personal data you need to collect and catalogue it accordingly. Count on all data sources from where data flows into your business to ensure you can effectively locate all customer data. Consider data collected both externally (data gathered from users outside your business) and internally (data collected from your company staff and users). CCPA mandates enterprises to store this personal data securely by implementing high-end security measures.
- Limit the amount of personally identifiable information (PII) to what is needed only. Proper preventive measures should be implemented to protect user data if a data breach occurs (for example, auto-deleting data after the purpose is fulfilled).
- Build a team of experts to handle and monitor data privacy. Train them on CCPA compliance requirements, best practices, and associated processes and system updates. For employees hired for customer-facing roles, this training is critical.
- Establish a data governance policy and framework unique to your business. These policies should oversee the processes of monitoring and managing customer data, including controlling vendor access vendors and addressing risks within the supply chain.
- Manage vendor relationships: Evaluate if the external service you choose to build a partnership with is compliant with CCP requirements. If not, make them comply through contractual agreements. Ensure to include CCPA adherence requirements and data protection terms in your contracts.
- Maintain an audit trail to enable retrospective review. Thus, you can pinpoint areas of improvement and what lessons your staff has learned from previous events. Regular auditing also helps improve and update and amend your policy over time.
- Stay updated with the amendments and corrections made in the CCPA sections. CCPA underwent such revisions a few years ago. To further refine and augment the rights of Californians, The State of California passed the California Privacy Rights Act (CPRA) in 2020 and enforced it in 2023. It imposes new privacy rights for consumers and obligations on organisations, such as advanced data protection and data minimisation provisions.
Penalties for Non-compliance
Failing to comply with California data privacy regulations can cause businesses to face severe repercussions- hefty fines, penalties, damage to brand reputation, and more, which can decrease ROI significantly.
CCPA defines the penalties that businesses are mandated to incur for violating any of the rules of California law. A violation might include:
- Not having a privacy policy compliant with CCPA regulations in action.
- Not responding to a data access/disclosure request by an authorised user
- Not informing users of their personal data being collected.
- Not allowing consumers to opt out of the sale or sharing of their personal data with external services
Please note that no penalties are imposed upon an organisation immediately after it’s figured out any non-compliance to CCPA standards. A ‘cure’ period of 30 days is allowed for them to rectify the issues; otherwise, they will be penalised.
Penalties set up by the CCPA regulations are imposed on businesses by the California Attorney General. For any unintentional non-compliance, the maximum civil penalty is $2500/violation. For any intentional non-compliance, it can be as high as $7500/violation.
