What Is The CCPA?
May 5, 2020
The California Consumer Privacy Act (CCPA) was created to provide consumers in the state of California with additional rights and protections related to how businesses are permitted to use their personal information. This state statute was enacted in 2018 and put into effect in January 2020.
In this article, we’ll take a look at what the CCPA is and how the CCPA impacts businesses and consumers.
What Is The Purpose of CCPA?
In the past few years, customers have expressed growing concerns about the fate of their personal data in the hands of businesses and corporations. The purpose of the CCPA is protect the data and privacy of consumers. The CCPA endows residents in the state of California with the following rights:
- The right to be informed that personal data is being collected, used, sold, and/or shared by businesses
- The right to request for the deletion of personal data
- The right to prohibit businesses from selling their personal information
- The right to access any personal data collected by businesses
- The right to not be discriminated against (higher prices, lower levels of service, etc.) for exercising these rights
In the event that these rights are breached, the CCPA grants California residents the right to sue.
What Is Personal Information?
It is important to know what personal information is to have a good understanding of the implications of the CCPA. The CCPA defines personal information as the following: “Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140.o1).
The different categories of personal information under the CCPA are direct identifiers, unique identifiers, biometric data, geolocation data, internet activity, and sensitive information. Examples of direct identifiers include first and last name, social security numbers, and home address. Unique identifiers refer to data like account names, cookies, and IP addresses. Location history is the primary example of geolocation data. Internet activity refers to browsing history and search history. Biometric data encompass voice and face recordings. Finally, health data is an example of sensitive information.
Overall, any data that can be used to identify an individual or a household is considered personal information under the CCPA. Data that is anonymous or aggregated generally is not covered by the CCPA. In some cases, suppression of data may be necessary to prevent the Identification of specific individuals or households by inference or by combining multiple sources of anonymous or aggregated data.
Which Businesses Must Abide by the CCPA?
Not all businesses must abide by the CCPA. There are certain requirements that a company must fulfill before being forced to comply with this state statue. The following companies are required to abide by the CCPA:
- Companies that earn more than $25 million in annual gross revenue
- Companies that collect the personal information of at least 500,000 residents, households, and/or devices in California each year
- Companies that derive more than half of their annual revenue from selling the personal information of California residents.
Notably, companies outside of the state of California are also expected to comply with the CCPA. After all, most of the businesses in the United States do business with consumers in California. Also, many other states have enacted similar legislation. Some examples of such states include Washington and New Jersey.
Are B2B Businesses Exempt from the CCPA?
“No” is the short answer to the question “Are B2B businesses exempt from the CCPA?” However, in truth, the answer is a little more complicated than that. The CCPA is not entirely black and white when it comes to business-to-business (B2B) companies. According to the CCPA, all communications and transactions that occur during the process of a business providing or receiving a product/service are exempt from the CCPA. Therefore, it appears that B2B businesses are exempt from the CCPA in terms of emails and other forms of communication. This exemption is only in place until January 2021.
However, B2B companies must still comply with the CCPA when it comes to allowing individuals to say no to the sale of their personal information and making sure consumers who exercise their data privacy rights are not exempt.
Overall, while there are some short-term exemptions that B2B companies are currently enjoying, the CCPA does have major implications for B2B companies. It is in the best interest of B2B companies to take advantage of these short-term exemptions to make the transition to this new normal for data privacy laws a little less rocky.
What Is the Difference Between the CCPA and the GDPR?
One question that you may have is “What is the difference between the CCPA and the GDPR?” The GDPR, which stands for the General Data Protection Regulation, is a regulation pertaining to data privacy in the European Union as well as the European Economic Area. The GDPR also regulates the transfer of personal information in areas other than the EU and EEA.
The GDPR was enacted in May 2018 to standardize data privacy laws across all 28 countries in the EU. The GDPR requires businesses to protect the personal data associated with all transactions occurring in the EU. This includes US businesses conducting transactions in the EU.
The main difference between the GDPR and the CCPA is that the latter only protects the privacy and data of California residents. On the other hand, the GDPR is only applicable for transactions in the EU. Another key difference is that the primary focus of the CCPA is to regulate the sale of personal information. The main focus of the GDPR is to regulate data ownership and the rights to personal data deletion.
What Does the CCPA Mean for Businesses?
The CCPA requires that all residents of California must know what personal data is being collected and how this information is being used. However, the CCPA may mean that businesses may need to grant these new data privacy rights to all customers. The reason for this is that it is often difficult for a business to know for sure where a user is located. Therefore, for many businesses, it is in their best interest to blindly apply the CCPA rights to all customers due to the inability to distinguish between consumers from California and consumers from other states. Also, as noted above, many states are working to enact statues similar to the CCPA.
Businesses can face civil penalties of $2,500 per violation under the CCPA and up to $7,500 for all intentional violations. In general, a business will first receive notification of alleged noncompliance. If the business fails to rectify the violation within 30 days, the business will be considered in violation of the CCPA and may face civil penalties and civil actions for injunctions from the California attorney general. As mentioned above, California residents are able to sue businesses for violations as individuals or classes.
How Should Businesses Prepare for the CCPA?
There are a number of steps that businesses should take to prepare for the CCPA. These steps include updating their website and ensuring personal data security. This section will outline how businesses can adequately prepare for the CCPA.
All businesses should update the privacy policy on their website to ensure the personal data they collect is clearly outlined. Not only should the privacy policy mention what personal data is collected, but it should also explain why it is stored and how it is processed and used. A section of your website should provide your consumers with clear instructions on how to make a request to access their personal data. You can provide a toll-free telephone number that consumers can call to make a right-to-access request. Provide a thorough explanation of how your business intends to validate the identity of individuals who make right-access requests.
Under the CCPA, the California Attorney General has the power to impose fines in the event of a breach of personal consumer information. However, these penalties are only applicable to businesses that did not take the right steps to protect personal data.
Be sure that all the personal information you collect from your consumers is encrypted. Redaction is another method that you can use to protect the personal information of your California consumers. Not only do you need to protect the data through encryption or redaction, but you may need to completely restructure the way you collect and store data to ensure that you have the ability to find personal information no matter where it is stored. The reason is that consumers can make right-to-access requests, which means you need to be able to find and provide this data in an efficient manner. As you can imagine, this can be a very time-consuming and difficult process.
In Conclusion
In conclusion, the CCPA has the potential to have national and even global implications when it comes to data privacy for consumers. California was the first state in the county to enact legislation to protect consumer data and privacy. Many states are expected to follow suit in the next few years. For more information about what is the CCPA, don’t hesitate to contact us.