What is CCPA? How Do You Ensure Compliance with CCPA?
In this day and age, data is the most important asset that businesses need to protect.
All businesses, big or small, have access to more data than ever. This includes customer data, suppliers’ data, accounting data, and more. The CCPA (California Consumer Privacy Act) has been brought into existence in the state of California for the protection of consumer data and safeguarding their interests.
In this article, we will discuss CCPA in detail and cover topics such as:
● What is CCPA?
● Difference between CCPA and GDPR
● Which business does the CCPA apply to?
● What is personal information under CCPA?
● What are the consequences of non-compliance with the CCPA?
● Steps to become CCPA compliant
What is CCPA?
The CCPA act was introduced on the 1st of January, 2020, in the state of California to protect consumers’ personal information. This act allows consumers to investigate what information is collected by a business about them, and how the information is used or shared. A consumer can ask a company to delete or alter their information under Section 1 (AB 1146), if they feel it will have an adverse effect or their privacy will be hindered. For example, a customer may not want his photo to be shared after a hair transplant.
In order to comply with the CCPA, businesses should take the following steps:
● First, find out if the CCPA is applicable to your business.
● Provide an opt-in option for prior consent of the users to sell their information, and from parents for users who are in the under-age category.
● Provide the option ‘Do not sell my data’ for users to opt-out from selling their information.
CCPA and GDPR: A comparison
The CCPA and GDPR both have the same objective, to protect consumers’ data and information from violation. However, there are a few differences between them as we'll see below:
● Commencement Date
The CCPA was effective from 1st January 2020, while GDPR came into existence on 25th May, 2018.
CCPA protects information that will identify, describe, or is associated with the consumer, such as photos or videos. On the other hand, GDPR protects a specific piece of information about a consumer, for example, a credit card number.
The CCPA applies only for the state of California, while the GDPR is applicable to any data subjects who are citizens of the European Union.
Businesses that earn more than $25 million, collect data from more than 50,000 consumers, and generate more than 50% of the revenue by selling data accounts of consumers, come under the regulation of CCPA.
Any business around the globe that deals with private data of EU citizens comes under GDPR.
A fine of $2,500 to $7,500 is charged depending on the decision of the Attorney General of California if any law is violated under CCPA.
The penalty under GDPR can be 4% of the annual turnover of the company, or €20 million depending on which is higher.
Which businesses does the CCPA apply to?
The CCPA applies to all big and small businesses. All companies that are in the business of collecting data or information from the consumers need to comply with CCPA.
Specifically, businesses that come under CCPA compliance are:
● Businesses based in California or deals with consumers of California.
● Businesses that are engaged in collecting personal data of the consumers.
● Commercial organizations that make more than $25 million gross profit annually.
● Companies that are collecting and selling data for more than 50,000 users.
● Businesses that generate more than 50% of the revenue by selling data accounts of consumers.
● Additional obligations will be implied including the CCPA if the company is dealing with data exceeding 4 million users.
Businesses exempt from the CCPA are:
● Businesses not from California or those that don’t deal with California.
● Businesses not engaged in collecting data of consumers.
● Nonprofit organizations are also exempt from the CCPA.
● Agencies of credit reporting that come under the Fair Credit Reporting Act.
● Financial Companies that come under the Gramm Leach Bliley Act.
● Health care centers that are under HIPAA (Health Insurance Portability and Accountability Act).
What is personal information under CCPA?
Personal information under the CCPA is anything that describes or is associated with a consumer, household, or device directly or indirectly.
Personal information covered under the CCPA includes the following:
● Customer Identification
Information that identifies a customer such as a name, age, gender, photograph, and other related identifiers.
● Customer Information
Information such as signature, social security number, driving license number, bank account, etc comes under customer information of the CCPA.
● Biometric Data
Information detected and recorded electronically such as fingerprints, eye color, retina scan, and similar other biometric data.
● Commercial Details
Information such as bank details, transactions such as purchase and sale of goods and services, payment of utility bills, etc are all commercial records of a customer.
● Educational Background
This refers to information on how qualified a person is, such as a graduate or a postgraduate.
● Professional Information
Professional information refers to what a person is professionally engaged in.
Where people live, which places they visit and check-in, where they travel are information records of their location. The new trend of Facebook, Instagram check-ins are examples of showing the location of where a person has visited.
Consequences of non-compliance with CCPA
A company that doesn’t comply with the CCPA can be penalized with charges of thousands of dollars. If a business violates any CCPA law and fails to pay the charges, it risks complete shutdown of the business, website, or channel. Consumers are also in a position to sue companies for breach of their private information after a notice period of 30 days. Another body that can sue the business is the Attorney General of California for the violation of any law of the CCPA.
Here are some specific penalties businesses might incur if they fail to comply with the CCPA:
● Charges from $100 to $750 fined per violation if a company doesn’t prove itself just and fair in front of the consumer.
● A fine of $2500 can be charged by the Attorney General of California if the law was violated unintentionally.
● A fine of $7500 will be charged if the Attorney General feels that you have violated the law intentionally.
Steps to become compliant with the CCPA
Here are some steps businesses can take to ensure compliance with the CCPA at all times:
● Know Your Business
First, you need to know if your business falls under the category to be compliant with the CCPA. To fall under the jurisdiction of the CCPA, your business should be a commercial organization collecting data of consumers of California and generating income of more than $25 million, making 50% profits by selling data, and selling data of more than 50,000 users.
● Keep a tab on data collection
Be sure to keep an eye on all personal information your business is collecting about your consumers. This includes data collected on your website, data your employees are collecting, and so on.
● Create a data map
A data map is a very important part of data privacy management. It shows what data you collect, where it is stored, how secure it is, who has access to the data, and the purposes it is used for.
Consistently review your policies and procedures regarding the handling of personal information in your company. Your employees should not be allowed to download data of customers on their devices. For example, accounting data for audit purposes.
● Include an opt-out link
Create a process for customers to opt-out and delete their data from your records. This is an important part of the regulation. Customers can opt-out or delete the sharing or selling of their data. This link should be prominently accessible on your website.
● Improve customer communication
A company should promptly respond to customers if they have any requests to change their data usage. Companies should be able to provide information if the consumer asks about their private information and how it is being sold.
● Vet all third-party contracts
● Have security controls in place
The CCPA has strict fines for data breaches. Thus, it's essential that data collected is fully secured and encrypted. Review your security control measures and make sure they're sufficient to protect your business against breaches.
● Invest in employee training
Employees must be adequately trained and educated regarding the CCPA. They must be aware of the consequences of mishandling data, and how best to communicate with customers regarding their personal information.
The goal of the CCPA is to protect consumer information from being misused and mishandled. Businesses complying with the CCPA are thus likely to enjoy more loyalty and goodwill from customers.
If you're struggling to keep up with the various laws and regulations your business must comply with, we've got a solution for you. VComply's GRC software makes it easy for businesses in all industries to manage compliance and governance in a hassle free way.
VComply Editorial Team
A comprehensive platform to govern risks, compliance and workflows in your organization.