Good data privacy measures are receiving more attention as big data usage grows. States within the U.S. have started to pass their own data privacy regulations in addition to the EU’s General Data Privacy Regulation.
Specifically, California signed a privacy law in 2018 called the California Consumer Privacy Act (CCPA) of 2018 to protect consumer data. Every business with annual revenue of $25 million or more, or whose sales of personal data account for at least 50% of total revenue, and which collects or maintains the personal data of 50,000 or more individuals is subject to the CCPA statute.
This article will discuss what you need to know about the CCPA including:
- What is the CCPA?
- GDPR vs. CCPA
- CCPA Details and Timeline
- CCPA Privacy Requirements
- What Does the CCPA Consider to be Consumer Personal Information?
- How to Comply with the CCPA
- Conclusion
This is part of our Data Privacy Guide.
What is the CCPA?
CCPA stands for the California Consumer Privacy Act which is legislation aimed at enhancing Californians’ data privacy.
In essence, it offers people the right to know when and how their personal information is collected and sold as well as a choice to refuse. Additionally, it gives customers the legal right to receive the same level of service at the same cost whether or not they invoke privacy rights.
The passage of the CCPA, which follows in the tracks of the General Data Protection Regulation (GDPR) and a slew of other state-enacted California privacy laws, reflects the growing concern of the general public regarding the misuse of personal data.
Read more:
GDPR vs. CCPA?
In essence, the CCPA grants specific rights to consumers, defined as natural persons who reside in California. Alternatively, the GDPR protects data subjects characterized as identified or identifiable natural persons.
In contrast to the CCPA, the GDPR protects data subjects rather than citizens or residents of a country.
CCPA Details and Timeline
The CCPA was enacted into law effective on January 1, 2020. For a more detailed yet comprehensive look, here are some of the most important events during the process of enacting the CCPA:
- October 12, 2017: The start of the privacy ballot initiative.
- June 28, 2018: The CCPA, AB 375, was signed into law.
- August 31, 2018: An amendment bill was approved.
- January 1, 2020: CCPA takes effect: Organizations must comply with California’s new privacy law.
- January 29, 2020: The ad industry requests a delay in the CA data privacy law enforcement deadline.
- February 10, 2020: A “first notice of modifications” to CCPA was published.
- March 27, 2020: A “second notice of modifications” to CCPA was published.
- June 1, 2020: The Attorney General submitted the final proposed CCPA regulations to OAL.
- July 1, 2020: Latest possible date for CCPA enforcement to begin.
- July 2, 2020: Latest possible date for California’s Attorney General to publish CCPA regulations.
CCPA Privacy Requirements
Businesses that acquire personal data from Californians must follow specific guidelines and restrictions under the CCPA.
The CCPA only applies to for-profit organizations, implying that charities and non-profits are exempt from this regulation. If you are the owner of a for-profit firm, you must abide by the California consumer data protection act if your enterprise ticks the following California privacy requirements:
- Annually receives, processes, or transfers data from more than 50,000 Californians,
- Your annual gross receipts exceed $25 million, or
- At least 50% of your yearly revenue originates from the sale of Californians’ data.
For a business to be subject to the CCPA, only one of the three criteria must be met. Therefore, you must abide by the Act even if your annual income is only $10 million, but 55,000 of your customers or website visitors are California residents.
In the end, it is a good idea to abide by the CCPA’s rules if you are unsure of whether it applies to your company. Doing so will also help you comply with other data protection rules, like the GDPR, which impacts most large businesses.
What Does the CCPA Consider to be Consumer Personal Information?
The CCPA enacted the following details to define Consumer Personal Information:
- Consumer’s name
- Consumer’s username
- Consumer’s password
- Consumer’s phone number
- Consumer’s physical address
- Consumer’s IP addresses
- Consumer device identifiers
The CCPA also protects data about a consumer’s race, religion, marital status, sexual orientation, and status as an armed forces member. Under the new law, California residents have the right to protect other information, such as information about your location and surfing history, as well as your fingerprints and facial recognition technology.
How to Comply with the CCPA
Since many of the CCPA’s definitions and stipulations are currently being refined, California CCPA compliance will be an ongoing process for businesses. However, the CCPA requires the following of all companies that are subject to its regulations:
- Need tonform consumers at the time of data acquisition or earlier.
- Establish processes for handling customer requests to know, access, and remove their data.
- Include a “Do Not Sell My Data” button on their website or mobile application.
- Respond to customer requests for information, deletion, and opt-out, within 45 days.
- Confirm the identification of customers who submit requests for access to and deletion of their data.
- Retain or sell consumers’ personal information for financial incentives.
- Maintain records of requests and the accompanying actions for 24 months.
A company has the right to refuse a request in some circumstances, such as when they cannot verify the request, but they still need to comply with the request to the fullest extent possible. This refusal implies that a request to remove something should be handled in the same manner as a request to opt-out of receiving something.
Conclusion
The monetary costs of data breaches and noncompliance fines grow each year. Thus, keeping up to date with all regulations as they continue to expand throughout the globe is essential.
Satori can help organizations dealing with personal data develop reliable systems that safeguard users’ privacy and data while abiding by applicable regulations like the CCPA.
To learn more:
- Book a demo with one of experts
