In an era where information can easily be captured, shared, and stored, the privacy of personal data is becoming an essential area of focus in today’s electronic world. While customers are starting to become savvier and educated about the Internet and privacy concerns, they are also becoming more distrustful about how organizations collect and use this information.
Similarly, most consumers are now willing to perform extensive research to learn more about the product they are using. Whether it’s taking out smartphones in the grocery aisle or doing a quick web search during an online order, consumers want smooth access to data regarding ingredients, features, benefits, and dietary claims.
A ZDNet survey revealed that 85 percent of American customers would likely stick with a business during a brand crisis if it has a great history of being transparent. This is because consumers naturally view companies who voluntarily provide transparency and privacy protection as more trustworthy and reliable than those who don’t.
One of the most popular U.S. statutes that put great importance on business transparency is the California Consumer Privacy Act (CCPA) of 2018, which was intended to improve privacy rights and consumer protection for California residents. Enacted in 2018, the CCPA was ratified in 2019 and hit the ground running at the beginning of 2020.
CCPA draws similarities to the European Union’s General Data Protection Regulation (GDPR) as it requires complying organizations to inform the individual rights of their consumers and assure that every step is taken to act on these. Businesses that collect personal data without prior consent from customers may be penalized or sued for identity theft.
Regardless of their similarities, being GDPR compliant does not necessarily mean that a business is CCPA compliant by default. This is because GDPR and CCPA have vital differences, which include the territorial reach, levels of specificity, scope, and the definition of personal information. Nonetheless, GDPR-compliant organizations will only need to make several adjustments to their privacy policies to adhere to the standards of CCPA.
CCPA characterizes personal data as information that describes, determines, relates to, and can be directly or indirectly linked with a particular consumer. This data includes names, online identifiers, postal addresses, aliases, email addresses, social security number, Internet protocol address, passport number, driver’s license number, and unique personal ID.
Meanwhile, the sale of personal information is described in the CCPA standard as renting, selling, disclosing, releasing, making available, communicating orally or in writing, and disseminating data to another entity for a monetary or other valuable consideration.
Among the changes they have to make is to ensure that their privacy policies are in correspondence with CCPA consumer rights which include the following provisions:
Right to Know
CCPA defines that consumers have the right to know what personal data is collected, communicated, used, or sold by organizations holding them. The statute requires businesses to provide transparency into the broad categories of information they gather and the personal data it gathers.
Right to Delete
Every customer can ask businesses and service providers to delete their personal information. The organization should comply with the request of its consumers to avoid fines and the potential of reputation due to legal troubles.
Right to Opt-Out
CCPA gives customers the right to opt if they do not want their information to be sold to third parties for any purpose. For businesses looking to sell customer information, they must first get opt-in consent for children 16 and under while a parent or guardian can permit those who are on the 13 or younger group.
Right to Non-Discrimination
CCPA prohibits organizations from giving derogatory comments or any form of discrimination related to a customer exercising their rights to privacy.
In general, CCPA applies to any organization including any for-profit business that gathers the personal information of consumers, which does business in California, and meets at least one of the following parameters:
- Has an annual gross profit above $25 million
- Purchases or sells the personal data of more households and consumers
- Earns over half of its annual profit from selling the personal data of consumers.
Businesses that meet these thresholds are also required to implement and uphold reasonable security procedures and practices in safeguarding customer data. Failure to follow these requirements could lead to hefty fines with each intentional violation pegged at $7,500 and $2,500 for unintentional violations. The CCPA also requires organizations to resolve alleged violations within a month after being informed of non-compliance.
On the other hand, the CCPA does not require non-profit and smaller companies that do not meet profit parameters or traffic massive amounts of personal information from California residents to comply with its standards. Nevertheless, it is worth noting that entities outside of the state who collect personal information of California residents may be required to meet the CCPA standard.
While the CCPA took full effect on January 1, 2020, the enforcement and determination of penalties will be delayed until July 1. This is because a myriad of internet-based businesses located in California have argued for a U.S. federal legislation that would develop uniform standards across the United States.
Usually, most of these online-based businesses are concerned that each violation of the CCPA could potentially trigger thousands of dollars in penalties, which can add up to a significant amount throughout millions of users in the state alone.
Currently, many companies and their service providers are awaiting ultimate guidance from the California Attorney General regarding CCPA. The news of a regulatory update came out last February 7. Still, there have been a few disappointments from organizations after it found out that the update did not include the final standards.
As per the Attorney General, the update only displayed revisions to the existing proposed standards issued in 2019 and a new comment period scheduled on February 24. Among the CCPA updates include the following:
Definition of Personal Information
The Attorney General released a guide for businesses to help them interpret defined terms in the CCPA. More specifically, the update clarified that identifying whether data is personal information depends on whether the organization keeps the information in a way that “recognizes, describes, relates to, and is reasonably able to connect directly or indirectly with a specific household and consumers.
By providing guidance and proper definition of personal information, businesses can address their concerns regarding the information they can collect. For instance, if an organization gathers the IP addresses of visitors to its website but does not connect or reasonably link them to any particular household or consumer, then the IP address would not be considered as personal information.
The Importance of Adhering to Industry Standards
While the update confirmed the need for online notices to be accessible, businesses would have to follow standards such as the Web Content Accessibility Guidelines, version 2.1 of 2018, from the Worldwide Consortium to be compliant. The suggested regulations provided organizations could not use personal data for any purpose besides disclosing in the notice of collection.
CCPA also made significant changes to the contents of the notice at the collection, requiring organizations to come up with a list of the classifications of personal information to be gathered. However, the update would eliminate the requirement to record the purposes of use for each classification. In short, it appears that it would be adequate to indicate the commercial or business purposes for using all of the types of personal data and not each one individually.
This change is expected to centralize the notice at the collection and would be extended to privacy policies as well. Businesses are no longer required to add a “Do Not Sell My Personal Information” link on their websites concerning notices at the collection for work-related data. What is more, the announcement could also now be linked to the privacy policies of business employees and applicants instead of consumers.
Introduction of Opt-out Button
Proposed regulations issued last year required a two-step method for internet requests to erase personal data. The update would make the two-step process optional by providing an opt-out button that enables consumers to restrict businesses from using or selling their personal information for business or commercial purposes.
Aside from internet requests, the update requires businesses to make a toll-free number available for submitting claims. On the other hand, website operators are also prohibited from using an interactive web form for submitting requests. Still, instead, they are required to have an email address ready to answer consumer queries.
Change in the Duration of Notice Requirements
The update also tweaked the duration for specific notice requirements. Organizations will now have ten business days to confirm a receipt of the request to delete or a right to know the demand from their consumers. The update changed the general response times for these requests to 45 days as well.
Moreover, the update also prohibits a business to search for personal data in a request to know the following purposes:
- Does not store personal data in a searchable or reasonably accessible format
- Maintains the personal information for compliance or legal purposes
- Does not purchase the data and use it for a commercial purpose
- Defines to the customer the classifications of records not searched because it met the three conditions mentioned above.
Furthermore, the update also clarifies that service providers that receive requests to delete or know either can inform the consumer that it cannot act on the application because it is a service provider or respond on behalf of the business.
As the CCPA continues to make regulatory changes, organizations that operate or do business with California residents should monitor developments so they can voice out concerns and pose questions concerning the statute.
Why Be CCPA Compliant Today?
The California legislature is on a data privacy tear at the moment. While it could see some significant gains for customers in the state, it can also bring a deluge of advantages for businesses trying to make a mark in one of the populous states in the country. While it may seem expensive and time-consuming to become CCPA compliant now, doing so will pay off in the long run as data regulations are continued to be passed in the United States.
Perhaps the most significant benefit of CCPA is its ability to provide businesses with a competitive advantage of gaining more customers in the exceptionally challenging target market. This is because as consumers become more aware of these laws, they naturally shift towards doing business with companies that are equipped with the necessary tools to protect their information.
It also helps your organization gain a marketing advantage as CCPA restricts the sale of personal information of customers. While this may seem counterintuitive, doing so can create more opportunities for businesses to attract new customers since they are forced to rely on first-party data. More often than not, marketers work with data that is inaccurate since it is collected from third parties, and its data source remains unknown.
By adhering to CCPA regulations, your organization can have robust data protection legislation information in place, which could lead to better marketing outcomes. This also helps businesses address the desires of their customers as CCPA forces the former to interact with the latter to address their needs.
The provisions of CCPA continue to evolve as more and more organizations continue to voice out their concerns regarding the particulars of the statute. This could create confusion for business owners who are not all too familiar with the technical side of compliance.
This is why contacting an expert like RSI Security is essential to help you navigate the complex world of compliance and ensure that you are meeting each requirement without breaking a sweat. Get in touch with RSI Security today and find out how you can achieve CCPA compliance the easy way.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.