The California Consumer Protection Act (CCPA) of 2018 secures privacy rights for California consumers and we have summarized the top eight things a business should know.
Effective January 1, 2020, CCPA gives consumers more control over their personal information how a business uses it.
There are eight key points to understand about CCPA to be in compliance:
1. COVERED BUSINESSES
CCPA applies to any for profit business that collects data from California residents — regardless of where your business is headquartered.
2. PERSONAL INFORMATION
CCPA defines personal information as information that identifies someone as an individual. Some examples are, but not limited to:
- Driver’s license information
- Browsing history
- Nonpublic personal information
3. CONSUMER RIGHTS
The crux of CCPA, are consumer rights. These are the four rights:
- Right to Know – a business must disclose any collection of personal information and how it is shared.
- Right to Delete – consumers have the right to get their personal information deleted.
- Right to Opt-Out – there must be an option to let your customers opt-out of their personal information getting collected.
- Right to Non-Discrimination – if a consumer does opt-out, they must not be discriminated against for doing so.
4. CCPA BUSINESS
If you are a business that deals with consumers that live in California, CCPA could apply to you.
For profit businesses are subject to the CCPA if one or more of the following are true:
- Gross annual revenues more than $25 million.
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
- You control or are controlled by a covered business.
5. BUSINESS OBLIGATIONS
If your business is subject to CCPA there are certain obligations you must follow:
- Provide a notice to consumers at or before data collection.
- Inform consumers about categories of information that will be collected and the reason it’s being collected.
- Create procedures to respond to requests from consumers to opt-out, know, and delete.
There are many steps a business should take to be in compliance with CCPA.
Some of these steps include the following:
- Watch the status of the CCPA to ensure the business is aware of additional amendments and the regulations that will be issued.
- Present resources to identify and map the consumer personal information in the business’s possession or under the business’s control. This includes others acting on the business’s behalf.
- Review and identify existing or needed organizational and technical procedures to facilitate compliance with consumer rights under CCPA.
- Review or create a data retention schedule that reflects the types of data the business maintains (the purpose is to safeguard data).
- Identify whether the business needs to update notice of collection and processing activities, as well as consumer access and deletion rights.
- Review service agreements with service providers that have access to consumer personal information.
Penalties for non-compliance of CCPA vary depending on the violation. Judgments have been passed down to businesses that have failed privacy and security obligations. Some of these landmark cases include: Wells Fargo, Citibank, N.A., Equifax, Lenovo Corporation and others.
CCPA is enforceable both by the Attorney General for the State of California and by private litigants. Currently the California Attorney General is Xavier Becerra. CCPA enforcement action can start July 1, 2020.
There are many rules and regulations that apply to CCPA, but can be managed with the right policies and procedures. Applying CCPA to the personal information to all your consumers will provide an extra level of security for your business.
RECOMMENDED TRAINING COURSE
California Consumer Privacy Act, CCPA, Compliance, Compliance Employee Training, Online Employee Training, Privacy