In 2018, the Facebook-Cambridge Analytica scandal came to light, raising serious questions about how consumer data was being used. Later that year, California enacted the Care About California’s Privacy Act (CCPA) requiring more data transparency and giving consumers more privacy rights. The Act grants California residents greater control over how their data is collected, stored, shared, or sold. Is your business complying with the new CCPA regulations?
Learn about the importance of compliance with our comprehensive guide.
Why Should You Care About the CCPA?
- The CCPA points to a trend in changing attitudes toward the government regulating technology and privacy.
- Data usage transparency engenders trust between consumers and companies.
- Thorough knowledge of privacy regulations helps companies avoid costly non-compliance penalties and legal disputes.
The Purpose of the CCPA
Similar to the EU’s General Data Protection Regulation (GDPR), the CCPA grants people rights over how their personal information is used. It defines what rights consumers have over their data. Justin Brookman of Consumer Reports noted,
“The CCPA is certainly historic. It provides new rights around commercial data collection that have never existed before in this country.”
Under the CCPA, California residents possess four major rights.
1. The Right to Know
Consumers have the right to ask why companies are collecting, storing, or selling personal data and what type of data is impacted. Furthermore, consumers can inquire where the information is collected from, such as subscriptions or social media mining. Third-party or partner company transactions also pertain to this right. For example, many companies outsource tasks to third parties which requires the transfer of customer personal information. If a consumer requests this information, companies must provide it free of charge and the related records for 12 months prior to the request.
2. The Right to Delete
Customers can ask companies to delete their personal information and any service providers that also have the information. Businesses must respond to any such requests within 45 days or 90 days with an extension. Notably, there are several exceptions and scenarios in which a company may not acquiesce.
- If information is essential to a service provided (e.g., completing a transaction or for warranty purposes)
- If the information is related to security practices
- If the information is related to a company’s legal obligations
- If the information relates to medical or consumer reports exemptions
These are not the only reasons a company may deny such a request, as the CCPA lists numbers exemptions, but they are likely among the most common. For more exceptions, see Civil Code sections 1798.105(d) and 1798.145.
3. The Right to Opt-Out
If you don’t want your information sold, you can opt-out. Once businesses receive an opt-out request, besides the exceptions, they must comply. The no-sale status on your information will stand for 12 months at which time a company may ask a customer if they still want to opt-out.
4. The Right to Non-Discrimination
The CCPA specifies that companies cannot penalize customers for exercising their rights. The law prohibits companies from charging extra fees or providing sub-par service to those who exercise their rights. However, there is a loophole. Companies can offer limited promotions for certain opt-in choices. For example, a company may provide a coupon to those who subscribe to an email list.
Company Responsibilities Under the CCPA
- Provide Clear Links on Your Website – Businesses subject to the CCPA bear the responsibility to inform customers of their rights. For example, websites are required to have a link clearly displayed on the homepage allowing customers to opt-out.
- Rights of Minors – Concerns about the information of minors are addressed in the CCPA. For children under the age of 16 but above 13, they have the right to opt-in or out. For those younger than 13, a parent or guardian must authorize the opt-in. Opt-out requests can be denied due to the exceptions noted above.
- Privacy Notices – Having the four rights listed above means little if consumers aren’t aware of them. Thus, the CCPA requires that companies provide privacy notices and make customers aware when the information will be collected. Companies should inform consumers that there is the intention to collect information prior to the actual collection, giving a customer time to opt-out. Privacy notices should include a description of consumers’ rights, what types of PI will be collected, why the PI is being collected, and if it will be sold/disclosed.
- Make Information Accessible – Companies in compliance with CCPA guidelines must provide two options for submitting requests — a toll-free number and a website ticket. Moreover, companies cannot charge for these requests and the provided information must be in a format that is easily transmittable.
- Delete Information Upon Request – When a consumer requests that their information be deleted, companies are obliged to comply unless it is needed to fulfill a contract, for security purposes, necessary for debugging, in compliance with the California Electronic Communications Privacy Act, needed for research (statistics), or crucial to internal operations.
- Secure PI – Companies are required to take reasonable precautions to protect PI. Data at rest or data in transit should be protected under industry best practices.
- Quick Remediation – Once a company receives the notification of non-compliance, they have 30 days to fix the issue or face up to a $7,500 fine per violation.
Businesses Must Comply with CCPA If…
The CCPA applies to not only businesses based in California, but those who conduct business with California residents and data brokers. California law defines data brokers as,
“a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
Similarly, parent companies or subsidiaries fall under the CCPA authority. Primary businesses fall under CCPA regulation if they meet one of the following thresholds.
- They have annual gross revenues of $25 million
- Buy, sell, or handle the personal information of 50,000 consumers or upwards
- 50 percent or more of a business’s annual revenues come from selling consumers’ personal information.
Four Easy Steps to Achieve Compliance
- Understand the Rules
Understand the CCPA rules and, importantly, keep track of the amendments. This The CCPA is a fluid piece of legislation that will change as new cases/issues arise.
- Take Inventory
Take inventory of what information you collect, store, share/transmit, or sell. After categorizing the information by how it is handled, determine if there is redundancy or overcollection. Unnecessary data collection or storage only increases risk. Additionally, should a consumer exercise their rights, companies need to know where data is to provide a report. Companies also need to know what information is related to minors versus those over 16 (per the CCPA rules).
- Prioritize Transparency
Prioritize transparency on your website. Under the CCPA, companies need to state how they use information clearly and provide a way for customers to request information. Clear privacy policies, written in understandable terms, are not only necessary but show a company’s commitment to compliance should legal disputes arise.
- Learn from Mistakes
Learn from the mistakes of other companies or your own. Although the CCPA is relatively new, lawsuits and violations will begin to flow in over the next few years. Keeping track of court rulings and remediation tactics will help clear up any ambiguity in the existing CCPA documentation.
What Information Does California’s Privacy Act Protect?
In terms of personal data, the CCPA is open-ended. The Act defines personal information as data that, “identifies, relates to, or could reasonably be linked with you or your household.” It does provide a list, as outlined below, but it is not exhaustive.
- Biometric data
- Geolocation data
- Characteristics of protected classifications under California or federal law
- Records of products purchased
- Internet browsing history
- Inferences from other personal information that could create a profile about your preferences and characteristics.
- Browsing/search history
- Physical characteristics or psychological trends
New CCPA Amendments
The initial Act went into effect on January 1, 2020, but the regulations continue to evolve. In 2019, Governor Gavin Newsom signed several new amendments into law. To keep pace with the rapid CCPA changes, be sure to check out the International Association of Privacy Professionals’ CCPA Amendment Tracker.
Amendments Signed Into Law Since 2018
- Exemption amendment – Excludes employment information from the definition of “consumer.”
- Personal information correction – Excludes “publicly available information” or aggregate information does not fall under the definition of personal information or receive the related rights.
- Data breach notification amendment – Recognized biometric data as personal information and requires companies to disclose what biometric data was affected if a security breach occurred.
- Vehicle amendment – Personal information relating to vehicle repair, recall, or warranty issues is exempt from the privacy rules.
- Data broker amendment – Established a registry to track data brokers that fall under CCPA requirements.
- Personal information rights amendment – The value of a consumer’s information may be taken into account when determining disclosures regarding a consumer’s rights. All such determinations must be reasonable to hold up in court.
- Disclosure amendment – Expanded the methods companies must provide to consumers for submitting disclosure requests.
- Exemptions for healthcare information
- Redefining personal information and de-identified information
- Right to delete exemption for insurance-related information
- Exceptions for the limits on collect, use, retain, sell or disclose personal information
CCPA vs GDPR
The EU’s GDPR and CCPA are similar in that they both strengthen the rights of consumers when it comes to personal information. One major difference though is the jurisdiction of each law. While the GDPR covers the entire EU, CCPA only applies to California residents or businesses operating in California. Because of the smaller impacted area, the CCPA is more specific than the GDPR in some cases. Below is a summation of the legal similarities and differences between the two compliance standards
- The GDPR applies to any entity processing EU resident data whereas the CCPA has specific thresholds (as listed above) that for-profit companies must meet.
- The CCPA defines customers as individuals obtaining goods and services, employees, or Business-to-Business transactions, while the GDPR refers to Data Subjects or those to whom the data relates.
- The CCPA specifies that service providers and third parties must comply.
- The GDPR requires companies to implement reasonable security measures. For example, common security controls and processing practices include encryption and social engineering training for employees.
- The CCPA doesn’t impose security specifics. It does note, however, that should a case arise pointing to a lack of reasonable security a company may be held liable.
- The GDPR does not have an “Opt-Out” clause equivalent to the CCPA’s or requires websites to provide an Opt-Out link.
- Under the CCPA, consent for minors applies only when personal data is involved, while the GDPR applies to all processing. Both recognize 16 as the cut off age for requiring guardian consent.
- Both the GDPR and CCPA allow customers to ask for disclosure documentation about how their information is being processed/sold.
- The CCPA does not offer any means to correct inaccurate data (right of rectification).
- The GDPR includes a clause detailing the right to restrict the data processing, allowing for more tailored control over how data is used. In contrast, the CCPA only has a broad Opt-Out right.
- The GDPR has two additional rights for which there is no CCPA equivalent: the Right to Object to Processing (GDPR Article 21) and the Right to Object to Automated Decision-Making (GDPR Article 22).
According to Statista, 50 percent more Americans in 2019 were concerned about their online privacy compared to 2018. People are beginning to understand how pieces of their personal information can be turned into formidable weapons, whether through social engineering campaigns or identify theft. As a result, governing bodies have begun to implement new laws, like California’s Privacy Act. In the coming years, companies should expect other states to develop similar privacy standards. If you need assistance understanding the CCPA obligations, contact RSI Security to discuss the compliance services available.