In an era when many business activities happen online – and when most people have a digital footprint – privacy laws are inevitable. After the widely known GDPR came into effect, many other countries and regions are continuing to establish privacy laws of their own. CCPA in California is one of them.
If you have questions on this particular law (including basic, but important ones like “what is CCPA?”), here’s a short FAQ to help you understand it better:
What does CCPA mean?
“CCPA” stands for California Consumer Privacy Act.
What is the California Consumer Privacy Act of 2018?
The California Consumer Privacy Act, or CCPA, is a privacy protection law voted in by California lawmakers in 2018. Its purpose is to protect the personal information of California residents (“consumers”).
When does CCPA go into effect?
CCPA goes into effect on January 1st, 2020.
What does the CCPA do?
To protect the personal information of consumers, CCPA places requirements on businesses for collecting, sharing or selling that personal information. It also restricts the sale of personal information of minors.
CCPA gives privacy rights to California residents, too. These rights include the right to disclosure, the right to deletion, the right of data portability and the right to object to the sale of their personal information.
Who does the CCPA apply to?
CCPA protects California residents (whether they’re currently in the state or not) and refers to them as “consumers”.
CCPA places obligations on “businesses” headquartered inside or outside of California, which collect personal information of California state residents and satisfy at least one of three conditions:
- Annual gross revenue of more than $25 million.
- Handling (buying, selling, etc.) personal information of more than 50,000 CA-based consumers, households, or devices annually.
- Gets at least 50 percent of annual revenue from selling CA consumers’ personal information.
What personal information is protected under this law?
Under CCPA, “personal information” refers to information that identifies, relates to, describes, and is linked to or associated with a consumer or household.
Based on this definition, information covered by CCPA may include name, address, social security number, email address, search history, IP address or geolocation data (this list isn’t exhaustive).
What are the main CCPA requirements for businesses?
The main CCPA requirements for businesses are:
- Disclose collection. A business must disclose the categories and purposes of collecting personal information. When receiving a verifiable consumer request, they must also disclose the specific pieces of personal information they have collected.
- Provide the right of deletion. A business must inform consumers of their right to request the deletion of their personal information the business has collected and comply with such a request
- Give consumers the opportunity to exercise their rights. For example, the business must provide two or more designated methods for consumers to submit requests. It must also include a “Do not sell my personal information” link on a prominent place of the website’s homepage.
- Comply with consumer requests. A business must comply with a verified consumer request within 45 days. If the business can’t comply for some reason, it must inform the consumer.
- Respect consumers’ rights under CCPA. This includes the right to access, the right to deletion, the right to data portability, the right to opt-in (for minors) and the right to opt-out.
Can a company refuse to comply with a consumer’s request?
Yes, under certain conditions. CCPA obliges businesses to comply with consumer requests unless certain criteria are met. For example, a business isn’t required to comply with a consumer’s request to delete their personal information if it’s “necessary for the business to maintain the consumer’s personal information”. The law lists the criteria that make it “necessary” to keep a consumer’s information (e.g. to comply with a legal obligation, detect security incidents and more).
To be on the safe side, consider all consumer requests via the method you’ve established. Consult with your legal counsel to ensure you’re allowed to refuse to comply on a case-by-case basis.
Are there exceptions from this law?
Yes, under Assembly Bill 25, there’s a one-year exemption from the CCPA obligations for businesses that collect and process data for a natural person acting as a job applicant. This means that for one year (until Jan 1, 2021), job applicants don’t have the same rights as other consumers.
There are expectations for specific privacy laws regarding employees. (IWA is planning to publish an article on AB 25 in the future, so stay tuned!).
What’s the CCPA-GDPR comparison?
Generally, while the two laws have some similarities, they may present also some differences. For example, GDPR has extra-territorial effect and under certain circumstances it can apply to companies that process EU data whether they’re established in the EU or not. CCPA can also apply to businesses headquartered outside California which collect personal information of California state residents and which satisfy certain criteria.
Learn more about the CCPA vs. GDPR comparison.
Does this California law place requirements for security like GDPR?
This is ambiguous. GDPR clearly talks about having in place “appropriate technical and organizational measures”. CCPA contains language that could point to security guidelines.
Generally, it’s good to consult attorneys and security experts to ensure you protect the personal information of consumers as much as possible.
How to implement CCPA
Each business might need to follow a tailored plan of action to achieve compliance with the CCPA, but generally, you could follow this CCPA compliance checklist:
- Read about the law yourself. If possible, read the actual CCPA law to see the requirements and collect questions you may have.
- Consult with your attorney or legal counsel. Legal counsels can answer your questions and explain the requirements of the law, as well as any controversy around it.
- Compare and contrast with other privacy laws. If you comply with other privacy laws (e.g. GDPR), see if there’s any overlap in the requirements – it’s possible that you already comply with some aspects of California’s privacy legislation.
- Keep abreast of changes. Laws can change, especially via assembly bills. For example, job applicants and employees are likely excluded from the definition of “consumer” via Assembly Bill 25.
What are the consequences of violating this law?
Under CCPA, each business has 30 days to cure violations and inform consumers that they have done so. After these 30 days, if the business still doesn’t comply, it can receive a fine from $2,500 to $7,500. The business may also need to pay $100 to $750 per consumer per incident after civil action.
For example, the minimum amount you might need to pay for violating CCPA for 1,000 consumers is $1,000*100= $100,000, plus a minimum of at least $2,500.
|IWA is not a law firm. This article is meant to provide general guidelines and should be used as a reference. It’s not a legal document and doesn’t provide legal advice. Neither the author nor IWA will assume any legal liability that may arise from the use of this article. Always consult your attorney on matters of legal compliance.|