The CCPA was created with the goal of enhancing the privacy rights of California residents. Going into effect on January 2020, the CCPA requires businesses to take several steps to be compliant. The law is comparable to the EU’s General Data Protection Regulation (GDPR) but takes certain measures even further, like having a broader definition of what constitutes private data.
What does the CCPA do?
The CCPA grants California residents certain rights in regard to businesses collecting their private data. These rights include:
- The right to know what information is collected, used, shared, or sold about them;
- The right to request that businesses delete this information;
- The right to opt-out of the sale of their personal information. Children under age 16 must opt-in and parents/guardians must consent for those under age 13;
- The right to non-discrimination in price or service when a citizen exercises these rights.
By 2020, businesses collecting private data in California will be required to provide these rights to consumers. Businesses are also expected to notify consumers of these rights at or before the time of data collection.
Does this affect my business?
Any business collecting data on California residents that:
- Has gross annual revenues of over $25 million;
- Buys, receives, or sells the personal data of over 50,000 consumers, household or devices;
- Or receives 50% or more of its annual revenue from selling consumers’ personal data is subject to the CCPA.
On top of this, any business that “controls”, is “controlled by”, or “has common branding to” a business that meets the above criteria is also subject to the CCPA.
What are my business’ obligations?
The CCPA prioritizes three major goals. Firstly, the CCPA aims to ensure considerable transparency in regards to the information businesses collect about them. Consumers will be able to request all of the personal information businesses have collected as well as any third parties their data was shared with and what the data was used for. This includes the fiscal incentives that businesses have for collecting personal data and how the data’s value was calculated.
Businesses will be responsible for notifying consumers that their data is being collected so it’s key to draft these notices ahead of time and implement them into your business’ website(s).
The second major goal of the CCPA is to give consumers the right to opt-out of data collection. As such, businesses are required to provide a “Do Not Sell My Information” link on their website(s). This provides a certain challenge for businesses in that they must now separate data in terms of their users’ security preferences.
The final goal of the CCPA is increased security. The CCPA implements consequences for businesses that don’t keep personal information secured. Businesses will be required to verify the identity of a consumer requesting data even if they are doing so through a password-protected account.
Lastly, businesses must keep records of all consumers’ requests and the business’ response for up to 24 months in order to prove compliance.
What if my business is not compliant?
Businesses are given a 30-day window to comply once notified of a violation. A fine of up to $7,500 per record can be issued if the violation is not corrected within this time. Not being compliant can become costly very quickly so it’s important to have as much covered from day one as possible.
Something notable about the CCPA is that it grants consumers the right to sue. Consumers must give written notice to a business if they believe their privacy rights have been violated. This opens a 30-day window for the business to fix the issue, and if not dealt with, consumers may bring a class-action lawsuit.
In regards to security, the wording of the CCPA is fairly vague. The law requires businesses to maintain “reasonable security procedures” to avoid data breaches. On top of this, consumers have an individual right to act for data breaches that can carry fines of $100-$750. Businesses seem to have some leniency in how they handle security but it’s clear that security breaches can carry harsh penalties depending on their severity.
All in all, being compliant with the CCPA will require several changes in how businesses organize data. Being able to categorize data in terms of consumer preferences and providing added security is highly important. Be aware of all the ways and types of data that your business collects and organize it accordingly. Be prepared to provide the correct notices to costumers and have procedures in place for any legal data requests and compliance should not be a problem.
Interested in talking through next steps?
About Launch Team, Inc.
We are a multi-dimensional, highly focused marketing firm that has helped companies in technical and engineering-driven industries succeed. We've been doing this for over 30 years, increasing and improving our offerings along the way. Our team's backgrounds include optics, chemistry, biology paired with a core business and marketing focus. This allows our team a unique understanding of your business, the decision makers you work with, and the engineers who will evaluate your solution.