The California Consumer Privacy Act (CCPA) is a piece of legislation that passed in 2018 and is meant to protect the personal information of Californian consumers and the companies that collect their information. The CCPA will require businesses to disclose what personal information they are collecting and how they are using it. The CCPA also requires businesses to take reasonable steps to prevent unauthorized collection, use, or disclosure of personal information. Consumers will be able to access their personal information and correct any inaccurate information.
What is the California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a state law designed to protect the privacy of Californians. The CCPA is the first law of its kind in the country, giving consumers the right to decide what personal data about them a business can collect and use. In addition to this, the CCPA also grants consumers the right to decide how long their information can be retained. The CCPA was created in response to the controversies surrounding the Facebook data scandal and other privacy violations.
How does the CCPA affect me?
The CCPA gives Californian consumers the right to know what personal information a business has collected about them. Businesses will have to disclose what information they are collecting, how the information is being used, how long the information is being stored, and with whom the information is being shared. Businesses will also have to provide consumers with access to their information and to correct any inadvertent inaccuracies.
The CCPA also grants consumers the right to decide what personal information a business can collect, how long they can store it, and how they can and cannot use that personal information. This includes the right to ask for the personal information to be deleted and request that the business doesn’t share it with others.
Under the new law, businesses cannot disclose personal information about a consumer to anyone, except if the consumer has given their express consent. Businesses cannot sell personal information collected about consumers to third-party companies or use it for their own marketing purposes.
Furthermore, businesses will have to undertake reasonable measures to protect the information they have collected from consumers. This not only means protecting it from hackers and data breaches, but also ensuring that it couldn’t be accessed by unauthorized employees.
Finally, the CCPA gives the consumer the right to opt out of a business’s data collection. This doesn’t mean the business can’t collect the information, however, if a consumer is uncomfortable with the business’s data collection methods, then they have the right to opt-out.
What are the consequences of violating California laws?
The CCPA is enforced by the California Attorney General’s Office. If a business doesn’t follow the guidelines outlined in the CCPA, the Attorney General may impose fines of up to $7,500 per violation. Businesses must also provide consumers with the necessary information, free of charge, if their personal information is breached by an unauthorized party.
What are the major points of the California Consumer Privacy Act?
Under the bill, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It does not include:
(1) government-issued identifiers;
(2) information that has been anonymized, aggregated, or pseudonymized;
(3) publicly available information that is lawfully made available to the general public from federal, state, or local government;
(4) publicly available information that is lawfully made available to the general public from a person or company with whom the consumer does or would deal in the ordinary course;
(5) publicly available information that is lawfully made available to the general public from the news media; or
(6) information that has been obtained as part of a confidential relationship where the information would have been disclosed only with the express consent of the consumer.
When does my company need to comply with the CCPA?
The law is effective as of January 1, 2020, and applies to any businesses that interact with California residents. This includes every company doing business in California, regardless of whether or not they have a physical presence in the state.
How much information must I disclose to consumers?
If your business collects, stores, or uses personal information about consumers, then your business will need to comply with the CCPA’s requirements.
When does my company have to disclose personal information?
If you are collecting information on consumers, then you will need to disclose that information to all consumers. This includes any information that would be considered personal information under the CCPA.
What about aggregated information?
The CCPA states that you must disclose to consumers “aggregate” information if it’s considered personal information. If a business collects data from a consumer, then the business must disclose that information to consumers unless the business can prove that disclosing the information would violate the law.
What if my company can’t disclose aggregate information?
If a business can’t disclose aggregate information, then the business should provide a written statement that explains why it can’t comply with the law.
What about the “reasonable time” requirement?
The CCPA requires businesses to disclose personal information to consumers within 30 days if the consumer requests it in writing. If a business cannot comply with the request within that time, then the business must explain why it can’t do so, and it must offer the consumer the ability to withdraw the request.
Does my company need to notify consumers when a breach happens?
Yes. If your business handles personal information about consumers, then your company must then notify those consumers if the business experiences a data breach.
What does my company need to disclose to consumers in the event of a breach?
When a company experiences a data breach, the company must:
(1) notify consumers of the breach;
(2) notify consumers if the breach could impact their protected health information;
(3) offer identity theft protection services for 12 months;
(4) notify the California Attorney General within five business days of the breach; and
(5) provide consumers with a means of contacting the business if the consumers have any questions or complaints about the breach.
Does my company have to notify consumers if the breach isn’t serious?
Yes. The CCPA states that consumers have a right to be notified if the breach is “serious.” This means if a company can’t determine how many consumers were affected by the breach or if the breach is considered a “significant harm” to the consumer.
How will your company determine who is affected by the breach?
The law states that a company must determine which consumers have been affected by the breach, even if the company can’t determine the number of consumers affected. This means that if a business can’t determine the number of consumers affected by the breach, then the business must still disclose that fact to consumers.
What if my business is processing information on behalf of another business?
If a business processes personal information on behalf of another business, then the company will need to follow the other business’s privacy policies and procedures. This also applies to businesses that share employees, agents, contractors, and affiliates.
What if my business sells information?
If your business sells personal information, then your company will be responsible for ensuring that the information is sold only to a business that complies with the CCPA and that processes only such information.
This makes selling personal information online risky, but selling personal information in person is also risky, especially if you run a small, shop-based business. In a class action lawsuit against Apple, the court ruled that Apple violated California’s data breach notification law, by not notifying customers of breaches of their iPhone data.
The penalties for violating California law can be severe, and can include fines, restitution, and penalties of up to $7,500 per violation.
The risk of selling personal information to individuals in California is higher than the risk in other states. The penalty for violating the CCPA is $7,500 per violation, which makes selling personal information online extremely risky. However, selling personal information online is not prohibited, as long as sellers take steps to comply with the law.
What if my business uses technology to process personal information?
If your company uses technology to process personal information, then your company will need to comply with the CCPA’s privacy policies and procedures.
The CCPA requires a privacy program for all California businesses that collect, obtain, or receive personal information. A privacy program must implement measures designed to protect the personal information you are collecting. The CCPA sets forth seven requirements that your company must meet to create a successful privacy program.
Implement and maintain reasonable security procedures and practices appropriate to the nature of the information.
Notify the individuals whose personal information the company is collecting, obtaining, or receiving.
Maintain information about its security policies and procedures.
The CCPA is a groundbreaking statute that will affect companies in California and throughout the United States. The compliance deadlines are looming, and your company must have a comprehensive plan to comply with the CCPA to avoid significant financial penalties.
Who is responsible for compliance?
The Chief Privacy Officer at your company is responsible for ensuring that your company is in compliance with the CCPA’s obligations. In accordance with the CCPA, the CPO must also communicate information, as well as receive, respond to, and document any complaints or inquiries from customers.
The CPO should strive to stay up-to-date on the CCPA’s requirements through training and certification. The CPO should also ensure privacy is incorporated into company policies and operations.
The CPO should develop a privacy program, including privacy and data retention policies. The program should be periodically evaluated and updated.
The CPO should inform employees about the company’s privacy and data retention policies.
The CPO should be accountable for the company’s compliance with privacy requirements.
The CPO should create and maintain a system to receive, respond to, and document any complaints or inquiries from customers.The CPO should receive, respond to, and document any complaints or inquiries from customers.
What additional obligations does my company have?
If a company has questions about the CCPA or questions arise during an audit, the company should contact the Privacy Rights Clearinghouse (PRC), whose website has a list of questions for and answers about the CCPA. The PRC also has a training program to help companies understand the CCPA.
Companies should set up their website and social media accounts so they are ready for the CCPA. A website should clearly and prominently post information about consumer rights, the PRC, and the CCPA, including a link to the PRC’s website. Companies should also respond to inquiries using language consistent with the requirements of the law, so consumers will be reassured and well-informed.
Social media platforms, such as Facebook and Twitter, are also now subject to CCPA’s requirements. Companies should review their social media policies to make sure their responses to consumer inquiries are compliant with the law. They should also have a social media policy in place to deal with requests for information from consumers.
Under the CCPA, companies may not require consumers whose personal information they collect through social media logins to provide more information than is reasonably necessary to provide the relevant service. However, if the information provided by the consumer is reasonably necessary to provide the relevant service, then it may not be reasonable to require the consumer to provide additional information.
The CCPA also gives consumers the right to withdraw or decline consent for marketing and certain other purposes. Companies should remind consumers about the withdrawal of consent and the appropriate methods for doing so.
If a company communicates with consumers through text message, it must have procedures in place so that consumers can easily opt out.
Companies should review their third-party service providers and other third-parties with whom they share consumer information to make sure their agreements comply with the CCPA.
What if my company doesn’t comply with the CCPA?
If a company doesn’t comply with the CCPA, then the company could face a fine of up to $7,500 per consumer. Keep in mind that this is an individual fine. If a company fails to pay multiple penalties, then the maximum individual fine would be $35,000.
The CCPA also states that if a company violates a consumer’s rights under the CCPA, then the company not only has to pay the consumer $7,500 for each violation, but the company also loses the right to collect personal information from that consumer for three years.
What if my company shares information with or sells information to a U.S. business?
If my company shares information with or sells information to a U.S. business, then the company is bound by the CCPA’s privacy obligations.
My company uses a tool, such as a customer relationship management solution, that complies with the CCPA.
If my company wants to rely on an exception to the CCPA’s privacy rules, then my company will be required to submit an authorization.
We have data belonging to a California resident that we would like to transfer to a company in a different state. Can we transfer the data?
Can my company transfer data belonging to a California resident to a data processor located in a different state? Yes. However, before transferring the data, the company must:
Inform the California resident that the data is being transferred to a third party (using the resident’s California contact information, if the company is a current user of the California resident’s California contact information).
Inform the California resident in writing that the data is being transferred.
Tell the California resident that “at anytime, and for any reason, you may withdraw this authorization, and California will cease using the information.”
Tell the California resident that, if the data is transferred, “California will endeavor to ensure that such third party abides by California’s privacy and data security laws.”
Tell the California resident that “California will endeavor to verify that such third party has provided notice to its California residents as to the third party’s data practices, and, to the extent that such third party does not, California will endeavor to ensure that such third party abides by California’s privacy and data security laws.”
Who can submit a consumer request?
- A consumer is an individual who has an account or relationship directly with the company.
- A consumer request must be made by a consumer.
- A consumer request may be submitted in writing, orally, or electronically.
- A consumer request is submitted directly by the consumer (not through an agent).
- A consumer request can be submitted by a consumer if the company receives certain information from the consumer that allows the company to identify the consumer.
If a consumer submits a consumer request, then the company must:
- Provide the consumer with a written response within 45 days.
- Communicate with the consumer about the company’s response.
- Provide the consumer with contact information for the entity that will respond to the consumer’s request.
- If a consumer notifies the company that the consumer has another individual who can forward the consumer’s request, then the consumer can forward the consumer’s request to that individual.
What information does the CCPA protect?
The CCPA protects information that a business “identifies” as personal information. This includes information that identifies an individual, such as name, social security number, email address, or medical information. The CCPA also protects “non-personally identifying” information that a business has aggregated about an individual, such as age, gender, or zip code.
The GDPR regulates the processing of personal data by businesses in the EU. It is explicit in its definition of personal data, which includes “information that relates to an identified or identifiable natural person.” The GDPR also requires that personal data be collected only for specific, explicit, and legitimate purposes and that personal data be processed lawfully and fairly.
The CCPA and GDPR have similarities. Both regulate the processing of personal information. They both require businesses to disclose their collection, use, retention, and disclosure of personal information. But there are also important differences.
The GDPR has a specific definition of “personal data” that is broader than that of the CCPA. The GDPR also states that processing of personal data requires an individual’s consent. The CCPA does not have this stipulation. Instead, under the CCPA, a business can only process personal information as allowed by law.
The GDPR also requires that personal data be processed in a manner that ensures security of the personal data. The CCPA does not specifically mention security.
Businesses who are subject to the GDPR must also comply with a second set of regulations called the Data Protection Directive. These regulations include requirements that businesses provide individuals with access to personal data, allow individuals to correct and/or delete personal data, and comply with other requirements. The GDPR’s requirements are also more extensive than the CCPA’s requirements.
What if I share personal information with another company?
The CCPA generally doesn’t apply to companies that share personal information with each other. For example, if Company A shares personal information about Company B’s customers with Company B, then Company A is not liable under the CCPA for Company B’s failure to comply with the CCPA. However, if Company A decides to share personal information about its customers with Company C, then Company A is liable under the CCPA if Company C violates the CCPA.
conclusion: California Consumer Privacy Act (CCPA) legislation, passed in 2018, requires businesses to disclose “aggregate usage data” to consumers and prohibits the sale of consumer data without the consumer’s consent. The new law will also set privacy standards for businesses that use data algorithms and will set requirements for breach notification.