CCPA is the acronym for the California Consumer Privacy Act. It is the first act of its kind in the U.S. and only covers residents in California. CCPA mirrors the standards set down in 2018 by the European GDPR (General Data Protection Regulation) which protects consumers’ private information, including names and email addresses.
CCPA law was written and rapidly passed into law in January 2020, without a lot of clarification. This has left businesses across the U.S. wondering if CCPA standards apply to them.
What is the CCPA Privacy Law
CCPA – also referred to as AB 375 – is a privacy law that protects consumers’ personal information, though its scope is limited to only California residents. It requires companies to be more transparent with consumers about who their personal information is being shared with. It also requires companies that sell or share personal data to give consumers an opt-out option without any penalties from the business.
The law did take effect on January 1st, 2020 after a few minor changes had been made. The main one applying to employee private information and whether it fell under CCPA regulations. The final law does not apply to the business’s workforce, only consumers’ private data. The other adjustments dealt with who the CCPA law affects.
Businesses Affected By CCPA
CCPA is state law but it can affect businesses across the U.S. Regardless of where the business is located if the consumer legally resides in California their information is automatically protected by AB 375. However, not all businesses meet the criteria set down by the CCPA privacy law.
Any business with customers in California that also meet the following guidelines must be CCPA compliant.
- Annual revenue is $25 million and higher.
- Collect data from residents of California.
- 50,000 users/consumers’ data is stored by the business or a third-party associate. This also includes consumer devices.
- Over 50% of company revenue is generated from selling data.
Many small, local – in the state- businesses could be currently exempt from CCPA if they do not meet these guidelines. Here are a few other reasons a business might be exempt from CCPA penalties.
- Personal information is already protected by HIPAA
- Any financial company that is covered by Gramm-Leach-Bailey.
- Credit reporting agencies that are compliant with the Fair Credit Reporting Act.
In these instances, other laws are in place that regulates how organizations use protected personal information.
Understanding CCPA Regulations
If any U.S. business has customers in California they must follow CCPA law. It does not only apply to in-state organizations. This is one of the reasons that many businesses are checking to ensure that the personal information of their California customers is protected. This means that they must understand CCPA regulations.
These regulations are defined as any personal information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Legislators also included a few examples of consumer information that could be protected under CCPA.
- Email address
- Online handles
- IP address
- Biometric information
- Geolocation data
- Browsing and search history
If any of this information is shared without the consumer’s consent, it could result in penalties.
CCPA violations are enforced by the California Attorney General and consumers. Both parties have the right to enforce CCPA standards. Consumers can bring civil suits against organizations with fines ranging from $100 to $750 per violation. The state’s Attorney General can charge penalties up to $7,500.
The fines for companies that violate Californian consumer privacy are lower than those that could be brought by the state. However, lawsuits filed by private citizens do have an advantage. Civil litigation does not require consumers to prove they suffered financial loss, only that their information was used in a way that violated their rights under CCPA law. This has organizations with customers in California turning to companies like RSI Security to help them meet CCPA standards.
How to Meet CCPA Compliance Standards
Companies that have already met GDPR standards will find that it’s easier for them to comply with CCPA law. There are a few tips that can help businesses protect themselves from possible penalties and civil lawsuits and they can be broken down into three categories.
There are several steps businesses must take within the three categories to avoid CCPA penalties.
Prepare for CCPA Regulations
All data that an organization has on consumers should be identified and classified as to whether it falls under CCPA guidelines. This means that all the information should be checked to learn if permission requirements for the data users are required by the customer.
CCPA law states that information that has not been requested by the consumer and is over 12 months old is not subject to privacy regulations but it should still be classified. This is in the event that a consumer “opts-out” and their information has not changed.
Once the data has been analyzed and classified, protocols on its usage should be put in place. This can include limiting employee access to the data. Any consumer information older than 12 months should also be deleted or placed in an “archive” folder.
Security protocols will limit – and prevent – unauthorized access to personal data. Employees with access to protected consumer information will need to be familiar with and know how to implement the protocols.
The security measures should be evaluated regularly. Cyber threats are constantly changing and an organization’s security protocols need to be current. Data new and old should be constantly evaluated to ensure it is properly classified and protected.
Companies can easily comply with CCPA regulations by following these standards. However, there are still questions concerning compliance.
What CCPA Means to Companies
The California Consumer Privacy Act affects any business that has data on California residents. Any company with customer personal information protected by CCPA should have privacy notices prepared to send to all customers that reside in California. The following should be included in the notice that must be sent electronically.
- Describe how consumers’ information is collected
- How the collected data will be used
- Who the data was sold to – list of third-party email addresses
- Description of the consumers’ rights under CCPA
While the act did go into effect in January 2020, the state Attorney General has declined to enforce any penalties for the first six months. This does not apply to individuals. Consumers can file civil suits as early as January 1st, 2020.
GDPR vs CCPA
Companies that already comply with GDPR standards might not be in compliance with CCPA regulations. Even though the two laws are similar, there are differences. The two that affect companies that handle data from California residents are
- Restrictions on the sale of personal information
- ·Minimal or no discrimination by companies to consumers that “opt-out”
The EU’s GDPR and CCPA do have the same policies when it comes to,
- Notifying consumers if their data was breached
- Consumer right to opt-out of data storage/sharing/selling
- The right for a consumer to sue a company that did not obey their decision to opt-out.
- Consumers have the right to access their information, including a list of third-parties with access to it
- California residents can request that their information is deleted free of charge and without any discrimination from the company.
Even though data sharing/collecting companies are the most affected by CCPA, they are not the only businesses. All third-party associates must also be in compliance with CCPA. Richard Vestuto at Deloitte Transactions and Business stated,
“In terms of compliance, working with third parties is important because the organization is responsible for what those third parties do with its data—not to mention fourth and fifth parties.”
For many businesses, it will be difficult to ensure third-party compliance. Contracts between businesses and third-party associates help to ensure compliance across all facilities. It can also help reduce the risk of a company’s failure to comply with CCPA standards.
This will require businesses to review all third-party associates that have access to personal protected information. As previously mentioned, the security protocols in place should be the same for third-party associates as it is for the businesses.
What CCPA Means to Consumers
AB 375 or CCPA also affects consumers, though differently than businesses. The recent act may only be a state law in California, but it affects every company that conducts business there. This means that any company with consumers in California will be applying the same protocols to protect the information of its other customers.
The state law does have a few benefits that only apply to Californians.
- Right to ask companies to delete personal data
- Option to opt-out of personal information sharing/selling by the company
However, due to CCPA requirements, most businesses are finding that it is more efficient to notify all consumers about their data and implement the same security protocols for all collected information. Even consumers that live out of state will know how their data is being used.
The Next Steps for Consumer Privacy Laws
The California Consumer Privacy Act is the first step towards protecting customer data in the U.S. and other states are drafting similar legislation. This is in response to growing consumer awareness of how their information is being shared. It also puts a greater emphasis on how companies manage collected data.
CCPA California privacy law gives consumers the right to decide how their private information is used. Consumers can tell companies to stop collecting their data, without any repercussions. This means that they will still be eligible for the same sales and discounts as other customers. CCPA is also giving customers the right to know who has their private information. In effect, the California law has given consumers the power to decide how their information is collected and used.
While CCPA law is a first step in protecting consumer rights, it does have loopholes.
- It is up to an organization’s discretion to obey a customer’s request to delete their information if the business believes that the data could be useful for security or if the context of the deletion request reflects the consumer’s desire to still be a loyal customer.
- CCPA law does not define the difference between personal and public information. The current law leaves this decision up to the company’s discretion.
- Personal information can be exempt from CCPA if it is determined to be useful to company operations. This loophole mainly affects company employees.
- Not all “information sales” are covered under CCPA. Its language may be too broad to cover information sales between a supplier and 1000’s of ad agencies. If the consumer’s main reason for having information deleted was to stop unsolicited emails, this loophole may allow the ads to continue coming through.
CCPA regulations apply to any company that meets the mentioned criteria, however, most businesses are choosing to comply with the standards even if they’re located out of state. The California Consumer Protection Law may only be state law, but other states are considering enacting their own versions of CCPA.
Identifying, classifying, and protecting consumer information can be time-consuming and expensive for businesses. The experts at RSI Security can help companies implement the necessary security protocols and meet all CCPS compliance standards.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.