The California Consumer Privacy Act (CCPA) came into effect on January 1st, making it one of the newest major privacy laws. You’ve probably received some emails from different companies updating to changes in their privacy policies because of the CCPA. But what does it all mean?
The CCPA has been coined as the American version of the GDPR, and will have a big impact on how businesses operate all over the world. Here’s everything you need to know about the CCPA and how to be compliant.
Who needs to comply?
Any company that serves California residents and has a global revenue of $25 million or more needs to comply with the CCPA. Additionally, businesses that have collected personal data on 50,000 people or more also need to be compliant. If your organization makes more than half of its revenue from the selling of data, then you will also need to comply.
Companies do not have to be based in California (or even the United States) or have a physical presence in the state or country to be affected by the law. Much like the GDPR, the CCPA is borderless. If you meet any of the above criteria, regardless of location, then compliance is necessary.
The law came into effect on January 1, 2020 but there is a six month grace period to apply the necessary changes for compliance.
What is covered under the CCPA?
While the CCPA draws many parallels to the GDPR, there are a few differences. Generally, if you are already GDPR compliant, then you are already most of the way there, but of course, there is more you will have to do.
In essence, the CCPA aims to give consumers more protections and control over who has access to their personal data. The following types of data are covered under the CCPA: names, addresses, usernames, email addresses, and phone numbers. Additionally, things like your IP address and device identifiers are also covered.
The law also covers information that can be used to characterize a consumer such as sexual orientation, marital status, race, religion, and military/veteran status. Biometric information is also covered. However, personal data found in public government documents is not affected by the CCPA. This means companies can collect personal data from government records.
The CCPA gives consumers the following rights:
- The right to know what personal data a company has collected on them
- The right to refuse the sale of their personal information
- The right to sue companies following a data breach or for a general lack of data protection policies in place
- The right to delete personal information
- The right to not be discriminated against for refusing to allow the sale of personal data
- The right to be informed about what types of data will be collected prior to the collection of data
- The right to a mandated opt-in for the sale of children’s data
- The right to know what categories of third parties are purchasing their personal data
- The right to know the sources from which personal data was collected
- The right to know the purpose for collecting personal data
While consumers who live in California are the ones who this law was created for, the CCPA has a far bigger reach than initially anticipated. Some companies, such as Microsoft, are extending the CCPA to all of their customers in the US. The law is certainly having a ripple effect on data privacy laws across the United States and the world.
How to be CCPA compliant
In order to comply with the CCPA, it is vital that companies have the necessary data protection for the data they collect and store. Data breaches are a regular occurrence, however, the CCPA aims to force businesses to increase their security when it comes to data. Organizations that fail to comply are at risk of facing penalties for the authorities and lawsuits from consumers.
One of the more difficult aspects of compliance is setting up data mapping. This means businesses have to set up a system that shows what data they collected from where, where the data is stored, and who the data was sold to (if applicable). Consumers are now able to request that their data be deleted, so it’s important to know where that data is and to delete it in a timely manner.
Additionally, it’s crucial to set up a process that allows customers to opt out of having their data sold. There should be a noticeable “Do Not Sell My Personal Information” link on your website’s homepage. The process for data deletion should be equally clear.
Being able to properly identify customers is an important part of this process. You will need to verify that someone is who they say they are quickly and accurately. If not, you run the risk of accidentally deleting the wrong information or giving someone’s personal data to the wrong person.
Realistically, it’s probably worth it to be CCPA compliant for all of your customers, whether they are California residents or not. While it may be a big undertaking, it is probably easier than trying to isolate specific information regarding residents of California.
What are the penalties for non-compliance?
Failure to comply with the CCPA can lead to fines of up to $7500 per violation. While this number may seem low, consider the fact that data breaches can affect millions of users, depending on the size of the company. Even things like not having an opt-out link can add up very quickly.
There is also the fact that consumers now have a right to sue companies for any perceived violations. However, businesses will have thirty days to fix any issues related to a lawsuit before anything gets taken to a court of law.
While we will have to wait and see if Californian privacy authorities will be as strict as their European counterparts, California is known for protecting its residents. Given how many large companies are based in California, it will be interesting to see how this plays out.
How does the CCPA compare to other privacy acts?
The CCPA is currently the strongest privacy act in the United States. While there are federal provisions for protecting medical and children’s data that are strong, aside from the CCPA there is not much protecting consumer data.
Compared to the rest of the world, the CCPA is pretty strong. Currently, only two other privacy laws are stronger than the CCPA: the GDPR and the Personal Information Protection Act (PIPA) of South Korea. Both the GDPR and PIPA have a far broader scope than the CCPA. Additionally, so far both the GDPR and PIPA have had far larger penalties than the CCPA, although this may change in time.
If the CCPA ends up being successful, there is a good chance that similar laws get adopted by other states and for consumer privacy laws to expand to a federal level. Privacy laws surrounding personal data are sorely lacking in the United States, and the country will need to start developing some sort of law soon to keep up with the rest of the world.
Conclusion – The future of privacy
The CCPA is currently very much in its infancy, and to understand its true effectiveness we will need to wait and see. The law is very promising, and could greatly impact privacy laws in the United States for the better. Only time will tell if it will truly be a success or not.
The success of the CCPA relies on the authorities and consumers themselves. Consumers will need to be vocal if companies are non-compliant, and actively take advantage of their new rights. Authorities will need to take a tough stance, much like their European counterparts, and ensure that the new law is being sufficiently enforced.
Compliance is certainly going to be an issue; several major tech companies are already complaining about the new law. Complying with the CCPA will cost companies a fair amount of time and money, as many will have to update their systems. Facebook is continuing to insist that it doesn’t sell consumer data so they believe that they are already compliant. Given Facebook’s track record, we aren’t inclined to agree.
Data protection is the future, and the CCPA has the potential to bring at least a part of the United States onto the same level as many other first world countries. It’s exciting to see such a comprehensive new law come into effect, and perhaps impact the rest of the country as well.