What is CCPA?
The California Consumer Privacy Act or CCPA was a bill passed on June 28, 2018 constructed to safeguard California consumers through transparent communication and enhanced privacy rights. The CCPA, also commonly referred to as AB 375 (Assembly Bill No. 375), allows California consumers to view the personal information a business has collected on them and the third parties who would/have received the information. The CCPA effective date is set for January 1, 2020, which initiates compliance enforcement.
What are the California consumer rights?
As a California consumer, the CCPA allows consumers access to widely undisclosed information regarding personal information collection. On January 2020, California consumer rights will include:
- What personal information is being collected and access to that data
- Know if and to whom the personal information is being shared or sold
- How personal information is being collected
- Why the business is collecting personal information
- Request the removal of the collected personal information
CCPA’s goal is to ensure California consumers are aware of what personal information is being collected and used by businesses while offering the option to prevent businesses from obtaining or continuing to use their information.
CCPA definition of personal information
But, what is the CCPA definition of personal information? The bill defines “person” information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Some examples include:
- Personal identifiers- Real name, email address, account name, etc.
- Commercial information- Personal property, services obtained, purchasing history, etc.
- Internet or other electronic information- Browsing history, search history, app interaction, etc.
- Geolocation data
- Inferred data- Information used to create a consumer profile such as preferences, psychological trends, behavior, etc.
Note: Publicly available information is not considered personal information.
Who does the CCPA apply to?
The CCPA applies to companies that serve California consumers (regardless of their physical location), collects personal information, and align with any of the following criteria:
- Has an annual gross revenue of $25 million or more
- Has 50,000 or more consumers’ personal information
- Has received over half their annual revenue from selling personal information
How to comply with the consumer privacy act?
The following points describe the main ways your business can comply with the CCPA. The complete compliance rules can be found here.
- Include a clear link titled “Do Not Sell My Personal Information,” on the homepage for consumers to opt-out of the collection of personal information
- The ability for someone a consumer has authorized to opt-out for them
- Option to create a separate homepage for California consumers with the appropriate link
- Do not sell collected personal information of those who opted-out
- Refrain for 12-months after a consumer opted-out before sending an opt-in request
- All individuals handling consumer personal information are well-informed on the rules and protocols
- Include methods for requesting data access, such as a toll-free number
- Update privacy policy with California resident’s rights
- Ability to separate collected data according to a user’s privacy choices in order for a consumer to view the collected data and if/who it was sold to via an access request that must be completed within 45 days
What are the consequences if not in compliance?
If a business is not in compliance with the CCPA, it risks the following consequences.
- CCPA enables consumers the right to sue
- A business has 30 days to amend a potential breach once a consumer provides written notice to a company that their privacy rights were violated
- If not amended, the consumer can order a civil class action lawsuit equivalating $100 to $750 per resident per incident or actual damages, whichever is greater
- An intentional violation can be fined up to $7,500 and any unintentional violation can be fined up to $2,500
While CCPA applies only to California residents, experts expect that other states will soon acquire similar acts to protect consumers’ personal information. Businesses that implement actions to safeguard consumer information now will be better equipped when new information privacy laws in the US are enforced.