Key Takeaways
1. There is a large amount personal data being channeled through the international information super-highways.
2. California, (with its CCPA privacy legislation), Virginia, Colorado, and Utah are part of a growing group of US states with comprehensive state privacy laws.
3. The California Consumer Privacy Act of 2018 (CCPA) provides consumers with more control over the personal data that businesses collect about them.
4. The best way for a business to ensure CCPA compliance is to develop a checklist and incorporate this into its data protection plan policy.
Introduction
There is a lot of personal data, (some of it sensitive) being channeled through the national and international information superhighways which feed businesses, governments, and other organizations.
The EU developed the General Data Protection Regulation to protect personal data as it’s processed globally through this information superhighway. On this side of the Atlantic, Brazil is one of the first countries to develop a national privacy law, known as the Lei Geral de Proteção de Dados (LGPD).
Unlike the EU and Brazil, the US does not have a single, comprehensive data privacy and security law.
California, (with its recently adopted CCPA privacy legislation), Virginia, Colorado, and Utah are part of a growing group of states with comprehensive state privacy laws.
What is the CCPA?
The California Consumer Privacy Act of 2018 (CCPA) came into effect on January 1st, 2020, and was designed to provide consumers with more control over the personal data that businesses collect about them. The CCPA presents clear guidelines on how this law must be implemented by businesses.
This was at the time considered a landmark ruling which secures a comprehensive set of new privacy rights for California not unlike the EU’s General Data Protection Regulation which protects the personal data of EU citizens.
CCPA Privacy Rights for California Consumers
- The right to know what personal information a business collects about them, and how it is being used, analyzed, and shared with other parties and organizations.
The right to delete personal information that has been collected from them although there are some exceptions to this rule.
The right to opt out of the selling or sharing of their personal information.
The right to non-discrimination for exercising their CCPA rights; to be specific they should not be discriminated against if they deny the sharing of their data or ask that it be deleted.
The California Privacy Rights Act of 2020 (CPRA) was approved by California voters in November 2020, and this amended the CCPA, adding the following new privacy protections for consumers that took effect on January 1st,2023.
- The right to correct inaccurate personal information which a business holds about them, and
The right to limit the use and disclosure of sensitive personal information which has been collected about them.
Video: What is the CCPA?
In this video by Wizer, learn core, practical information about the CCPA and what it means for consumers and businesses.
What are the key requirements of CCPA compliance — a checklist.
The best way for a business to ensure CCPA compliance is to develop a checklist like below and incorporate this into its data protection plan policy.
- Establish whether your organization is subject to CCPA.
- CCPA does not apply to government agencies, not-for-profits, and companies that fall under other privacy regulations such as the Healthcare Privacy and Information Portability Act (HIPAA)
All other companies that do business in California, (irrespective of where they are in the world) are subject to CCPA if they meet one of the following criteria.
- Has an annual gross revenue of over $25 million:
- Buy, sell, receive, or share personal information for commercial purposes from 50,000 consumers, residents, households, and devices in California.
- At least 50% of the business’s annual revenue comes from selling consumers’ personal information.
- Establish if you have any exposure to CCPA compliance via third parties.
- Many businesses share the consumer personal data that they collect with third-party organizations like billing services, and credit card processors. To ensure CCPA compliance the data protection protocols of third- party organizations must conform to your company’s data protection plan policy. You can audit your third-party vendors with targeted CCPA compliance questionnaires that evaluate their security practices and privacy protocols.
- Build an inventory and data flow map of all consumer data.
- This starts with itemizing all the personal information that you collect for California residents and building an identity for each individual’s data (database record), specifically tagging information related to consumers and households. Then you’ll need to build and maintain data flow maps for California consumers which also identify third-party sharing.
- Audit security and data protection protocols and bring them up to industry standard
- potentially with guidance from certified data security professionals, to ensure reasonable security measures around the storage and transmission of personal information.
- Develop a process to support a consumer’s data access requests under CCPA
- This enables you to comply with the consumer’s right to know what personal information is held about them and how it is processed. You need to be able to respond within a 45 to 90-day time window.
- To support CCPA compliance you’ll need to develop a process that allows consumers to correct any inaccuracies they discover in the personal data you hold about them.
- Again, to support CCPA compliance, you must allow consumers to limit the use and disclosure of sensitive personal information collected about them.
- Develop systems ensuring CCPA compliance with a consumer’s right to delete. Under CCPA consumers in California have a right to request that companies delete their personal information. Businesses have 45 to 90 days to comply with this request.
- Implement a process ensuring CCPA compliance with a consumer’s right to opt out. There should be a clear and conspicuous ‘Do Not Sell My Information’ link on your website with an easy opt-out process that also supports requests in writing.
- Develop systems to support a consumer’s right to non-discrimination. This means ensuring that the consumer is not treated differently due to them exercising their rights under CCPA.
- Develop and publish a privacy policy on your web page. This explains how your business collects, stores, uses, shares, and sells consumer personal information and outlines the rights afforded to consumers by the CCPA.
Create a notice of collection and delivery process. Consumers must be provided with a notice of collection, when requesting information, which details the categories of information you collect and why along with a ‘Do Not Sell My Personal Information link’ if you sell this data.
Train all staff and produce a data protection plan policy
What are the consequences of non-compliance with the CCPA?
The Office of the Attorney General (OAG) is responsible for enforcing the CCPA. The OAG will send notices of noncompliance to allegedly at-fault companies. Once a company is notified of alleged noncompliance, it has 30 days to cure that non-compliance. In cases of non-compliance, the consequences can be:
- Civil penalties: A court may issue civil penalties up to $2,500 per violation, or up to $7,500 per intentional violation, with no limit for the number of violations that may be brought. 2022 saw the first fine under the CCPA for the French retailer Sephora who according to reports on Forrester was ordered to pay a $1.2 million penalty as part of a settlement that requires it to rectify its CCPA non-compliance
- Private right of action: Consumers may recover injunctive or declaratory relief and damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.
If you are looking to do business in California and need support from CCPA-compliant local staffing service providers, please get in touch with us at Horizons where we manage employee data in full compliance with the CCPA, where it applies.
Frequently asked questions
CCPA stands for California Consumer Privacy Act. CCPA is a privacy law that defines the privacy rights of consumers in California.
The Regulation (EU) 2016/679 – the General Data Protection Regulation (“GDPR”) applies to the whole European Union. The United States (U.S.) does not have a single, comprehensive data privacy and security law. CCPA is a data protection regulation applicable to the state of California.
