It wasn’t long ago when the EU’s General Data Protection Regulation (GDPR) went into effect and caused internet frenzy. The GDPR compelled people to care more about their personal information and how the information is being used by merchants and businesses with or without their consent. The policy actually pushed people to rethink how their internet activities could put them at risk, both financially and emotionally.
What could be more traumatizing than having to pay thousands of dollars because your credit card details were stolen from you? Or, how do you actually deal with sensitive photos of you leaking on the internet? How can you actually recover from severed relationships when you become a victim of identity theft and the person who stole your identity tricked your loved ones into sending him or her money?
In this day and age when all it takes is just a few clicks on a computer to get your information delivered into the hands of hackers, how protected do you think you are?
This is where the California Consumer Privacy Act (CCPA) of 2018 comes into the picture. If the GDPR is considered as the core of Europe’s digital privacy legislation, the CCPA is said to be the toughest privacy law in the United States. It aims to protect California consumers and secure their privacy against abuse by different businesses that collect their personal data.
And, even though you’re not from California or the EU, it is still worth knowing how policies like these are making a difference and how they’re holding companies responsible in case of data breaches and leaks. In a business owner’s standpoint, you wouldn’t want to risk non-compliance, so it’s important to know what the major provisions of the CCPA are and the penalties for non-compliance. Let’s get to know the other important details about the CCPA.
What Are The Major Provisions of CCPA?
The California Consumer Privacy Act provides consumers:
- The right to know which information is being collected, where and how it was sourced, how this data are being processed once collected, which of the information is being sold if any, and to whom the data are going to be sold to.
- The right to decline on allowing a business or a company to sell their personal data to another business or any third party.
- The right to request to the business to delete any personal data that was collected from them if they refuse this data to be stored in the business’ database, with some exceptions; and
- The right to equal services and disclosure requirements while they are exercising their privacy rights under this Act.
The provisions of CCPA are created to put all the rights mentioned above into practice. The act ensures that these companies and businesses disclose important information through privacy policies during, after or even before they collect consumers’ personal data.
Companies and businesses that sell the data they collect to third parties will need to disclose this new practice and give consumers the freedom to decide to push through or opt out of the sale by providing a link with the title “Do Not Sell My Personal Information” on the homepage of the business’ website. This is going to be known as the right to “Opt Out”. Furthermore, the act also prevents the personal data of minors, 16 years old and below, to be sold without consent from their parents or guardians. This is going to be known as the right to an “Opt In” option.
The CCPA also holds businesses accountable should they lose consumers’ personal information and gives consumers the power to pursue civil action to recover damages.
The Definition of “Personal Data”
According to DataPrivacyLaw.com, personal data refers to “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Personal information includes, but is not limited to, the following:
- Identifiers such as a real name, alias, postal address and geolocation data, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. To put is simply, any categories of personal information described in subdivision (e) of Section 1798.80.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Professional (employment-related information) and education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Personal information does not include information that is publicly available. For the purpose of the act, “publicly available” means lawfully made available whether federal, state or local government records, if any conditions associated with information as such. “publicly available” does not mean biometric information that a company or business collects without the consumer’s knowledge.
Who Does the Act Protect?
The CCPA protects consumers or residents of the state of California. The Golden State is the fifth largest economy in the world and experts are suggesting that by the end of 2019, there will be at least 40 million people in the state. Because of California’s economic presence, there are a lot of companies that serve the citizens of California, even those ones that have no physical presence in the state.
And, even though a company is not based in California, it is likely to implement the Act’s requirements not just for their customers or consumers that are in the state but also to those that are residing in other parts of the US. The reason is, it will be expensive and more confusing to personalize and to create a different website for their consumers that are not based in California.
What are the specific CCPA requirements?
According to the group, Californians for Consumer Privacy, the CCPA will remap how businesses collect and use the personal data of their customers and store all the personal data of customers that they collect. The following are required to adhere to the CCPA:
- Businesses (sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners) that collect personal data of at least 50,000 consumers, household or device
- All businesses that has an annual gross revenue of $25 million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- Businesses that earns more than 50% of its revenue from consumers’ personal data sales
- Businesses that derives 50% or more of its annual revenues from selling consumers’ personal information.
A company also is exempted from its compliance obligations under the Act “if every aspect of commercial conduct takes place wholly outside of California,” meaning that: (1) the business collected the information from the consumer in question while he or she was outside California, (2) no part of any sale of his or her personal information occurred in California, and (3) no personal information collected while the consumer was in California is sold. Realistically, though, many companies will remain subject to the Act by virtue of having “consumers” (California residents) among their customers, as described in further detail below.
A business or a company will be exempted to adhere to the compliance obligations under PCCA if they commercially conduct business, in all aspects, outside of the state of California. This means that the information should be collected by the business from the consumer in question, the time that he or she was not in California.
What Are The Penalties for CCPA Non-Compliance?
Under CCPA, all violators and non-compliant parties will be penalized with monetary fees and may also result in the loss of clients and business reputation – read on to view the specific dollar amount of fines. These non-compliance penalties are serious and hard to ignore. The only way to avoid penalties for CCPA non-compliance is obviously by complying to the provisions of the CCPA.
There are risks and corresponding fines as penalties for non-compliance and any party that will be found guilty of non-compliance will either face:
Consumers are given private rights of action under the CCPA and if they opted out of a data sale but their data is sold knowingly and willfully by a business without their consent, statutory damages could be between $1,000 to $3,000 or actual damages, whichever is greater. In a nutshell, the CCPA empowers consumers to file class action suits for privacy losses without requiring them to show any evidentiary loss of property or money.
The State’s Attorney General or Municipalities can enforce the law and they are expected to file a civil case against any business, company, or party that will not comply to the CCPA guidelines after 30 days from the moment that they were notified about it. In the same way, businesses have 30 days to cure alleged non-compliance within 30 days following notification from the state or else, they will be liable to pay fines of up to $7,500 per violation.
In the event of a breach, consumers can recover damages of not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater or injunctive or declaratory relief or any other relief the court deems proper. While the fines for the CCPA are not as costly as the GDPR, sizable data breaches for thousands of consumers could be a big blow to any business.
Penalties for non-compliance could go up to millions. For example, if a business violated the rights of 10,000 consumers, penalties for non-compliance would be $750 multiplied by 10,000 which is equivalent to a staggering $7,500,000 non-compliance penalties.
What Affected Businesses Should Do To Comply And Avoid Penalties for Non-Compliance?
Businesses that will be affected by the said law are going to be required to adjust and use the remaining months of this year to do some reform on how they do business to avoid being at risk of being fined with large non-compliance penalties.
To avoid non-compliance penalties businesses must:
- Make sure that the information is readily available in case a customer request for information and details on what personal data were collected from them.
- Onset or prior to the collection of data, inform the customer how this information will be used.
- Though businesses are only required to send requested info up to twice in a 12 month period, businesses should disclose and send the customer personal data whenever they request. Keep collected customer data for a one-time transaction if the data is not retained or sold.
What businesses and marketers should do?
Aside from avoiding huge penalties for non-compliance, businesses and marketers should make sure to be ready and willing to clear all the data collected from California-based residents upon request.
But there are instances wherein a business can keep customers personal data. Businesses can keep the data even if a customer requested to if:
- The information is needed to debug and/or repair errors that affects current intended functionality
- If customers’ personal details are necessary in order for companies to exercise free speech or if businesses need to make sure another consumer’s right to his or her right of free speech or any other right is exercised provided for by law.
- The information is of public interest whether historical, scientific, or statistical research purposes.
- Businesses need the data to comply to policies and laws.
Personal data security is one of the serious issues that this generation is facing. Technology has indeed made our lives easier and better but one may argue that at the same time, there are things that may go out of control and may affect us negatively. If the use and the sale of personal data will not be regulated, data breaches and data leaks are likely to happen. Before people know it, their personal information could be used by criminals to inflict pain or suffering to others.
Businesses need to follow the CCPA’s guidelines not only to avoid violating customers’ rights or avoid penalties for non-compliance. Their motivation should also be to take part in the government’s bid to protect its citizens so they can fully benefit from the digital economy. Laws protecting data privacy like the CCPA can protect consumers against any abuse and will strengthen security to avoid any possible damages. The California Consumer Privacy Act of 2018 is a pioneer and it will serve as a pattern for the rest of the 48 states in the United States of America.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.