You’ve probably heard of the European Union’s General Data Protection Regulation (GDPR), but what is the CCPA?
The California Consumer Privacy Act (CCPA) took effect January 1, and although it’s a state law, it holds companies around the world accountable for the customer data they collect. New year, new privacy regulations.
Here’s a quick look at the new law, who must comply, and how to ensure your business is compliant.
What is the CCPA?
The CCPA is designed to make data collection and sharing more transparent to California residents. The law requires that businesses:
- Disclose the kind of customer data they collect, share, and sell.
- Quickly fulfill requests from California residents to see data the company has collected on them over the previous year.
- Delete customers’ personal data on request, including deletion by third parties who have access to that data.
- Provide a way for customers to opt out of personal data collection and/or having their data shared with third parties.
- Refrain from discriminating against customers who opt out, request data deletion, or use other rights outlined in the CCPA.
Businesses who receive a request for data records, data deletion, or sharing limitations from a California resident have 30 days to comply.
These new regulations make the CCPA the most strict data-privacy law in the United States. Because the law grants rights to California residents, it affects many businesses located outside of the state that do business with customers in California. The scope of the CCPA is why some people call it the GDPR of the United States.
Is the CCPA basically the same as the GDPR?
Don’t let the nickname fool you into thinking that the CCPA is the same as the GDPR. For one thing, the CCPA defines personal data more broadly than the GDPR. As a result, the CCPA covers data that could “reasonably be linked, directly or indirectly, with a particular consumer or household,” including behavioral biometrics and tracking tags.
And unlike the GDPR, the CCPA requires businesses to provide a highly visible “Do Not Sell My Personal Information” link that residents can use to opt out.
If you’re already GDPR compliant, great! You’ve laid a foundation for CCPA compliance.
But it’s important to make sure you’re meeting the specific requirements of the CCPA. Because the interpretation and enforcement of CCPA are still evolving, it’s a good idea to keep up with CCPA news. For example, California’s attorney general is due to start enforcing the law in July, and the AG’s office can adopt other rules to support the CCPA at any time.
Not based in California? You may need to comply anyway.
No matter where your business is located, you must comply if you do business with California residents and meet at least one of the following criteria:
- You have annual gross revenue of $25 million or more.
- You earn half or more of your yearly revenue from the sale of Californians’ personal data.
- You collect, buy, sell, or share personal data on 50,000 or more California-based accounts (individuals, households, or digital devices) per year.
Nonprofits and smaller businesses are exempt from the law, but as California consumers get used to their CCPA rights, businesses that aren’t required to comply may want to do so anyway to maintain customer trust.
What happens if you don’t comply?
Spoiler alert: nothing good. Businesses that don’t comply with requests from California residents within 30 days can face legal and financial consequences. Businesses have 30 days to fix noncompliance issues and avoid those penalties, according to the National Law Review. However, data breaches can’t be reversed, so businesses can still face liability in those cases.
Penalties vary by intent. If a business is unintentionally noncompliant—for example, if there’s an accidental data exposure—it can face a $2,500 fine per data record affected. If there’s a deliberate violation, such as knowingly selling information on consumers who’ve opted out, the penalty rises to $7,500 per record.
Don’t let those numbers fool you: let’s say a business that meets the 50,000-accounts threshold for CCPA compliance accidentally violates the law. They could face a total penalty of $125 million for unforeseen data exposure. The same business could face a fine of $375 million for deliberately breaking selling 50,000 opted-out records.
The CCPA also allows consumers to sue after a data breach if personally identifiable, protected information, like driver’s license and Social Security numbers, are exposed.
How can you get compliant and stay that way?
Keep in mind that these are only meant to serve as guidelines. Please check with your legal department or an attorney when working with compliance requirements.
- Determine whether your business must comply with CCPA.
- Create a way for California residents to request their data and opt-out of collection or sharing. Include clear communication about the receipt and completion of those requests.
- Understand how long you must retain customer data in case of a request. Review all your company’s data collection channels and storage tools to bring them all into compliance. This includes web forms, social media, email campaigns, databases, and more.
- Pay close attention to data collection, parental consent, and storage practices for children’s information.
- Review your company’s cybersecurity practices to identify and fix any problems. For example, you may need to implement a more stringent software patching and update program or reduce the number of employees who have access to sensitive information.
- Review your company’s agreements with third-party data processors to ensure their accountability and compliance.
- Build a training program for employees who work with customer data to develop skills and a culture of CCPA compliance.
The overall goal of the CCPA is simple—to give consumers a better understanding and control of their personal data. CCPA compliance can be a lot of work for companies, but it’s also an opportunity to build better relationships with customers, strengthen internal security practices, and establish a new way of protecting data in the long run.