In recent years, businesses have become accustomed to the process of adjusting to new privacy laws. After all, it was only last year that the GDPR went into effect and impacted how companies use personal data all over the world.
Now, there’s another major regulation that went into effect in 2020. California rolled out the California Consumer Privacy Act (CCPA) — making it the first state-level privacy law in the United States. Experts say it’s a template for other states’ data privacy across the country.
Data-driven companies are preparing for this new regulation, much like they prepared for the GDPR ahead of May of 2018. Naturally, business leaders are asking the question: What does the CCPA mean for my business?
Today we’re explaining what the CCPA is, how it will impact your business, and any other lingering questions you may have about CCPA.
DISCLAIMER: The purpose of this article is to provide additional information and resources of a general nature about the CCPA. ZoomInfo does not intend for it to serve as legal or business advice or recommendations about handling consumer privacy within your unique business, and you should not construe it as such.
What is the CCPA?
The CCPA was created for the purpose of protecting the privacy and personal data of consumers who live within the state of California. This privacy law gives consumers the right to request a business disclose details about the personal information it collects about the consumer.
According to the official CCPA website, the act provides California residents with the following:
- The right to know about the personal information a business collects about them and how it’s used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Ownership of Personal Information
The CCPA grants consumers the right to know what information businesses are collecting about them. The act also gives consumers the right to tell businesses they cannot use their personal information.
Consumers may request that a business discloses the types of personal information it collects, the purpose of collecting that information, and who the information is being sold to. They may exercise these requests twice per year, free of charge.
Protection for Those Who Do Not Provide Businesses with Access to Their Personal Information.
The CCPA prevents discrimination against residents who don’t allow a business to sell their personal data.
In other words, if a consumer tells a business not to share their data, that business cannot charge the consumer more for services, deny them services, or offer services of lesser quality.
More Security and Protection Against Data Breaches
The CCPA requires businesses to implement “reasonable security measures” to protect California residents’ personal information from potential data breaches.
Businesses are subject to increased fines and penalties if they do not take adequate measures to safeguard the personal information they have collected from sales prospects and customers.
When Did the CCPA Go Into Effect?
The CCPA went into effect on January 1, 2020 and enforcement began July 1, 2020.
- Jan 1, 2020 = Bill becomes law
- Jan 31, 2020 = Data Brokers deadline to register
- July 1, 2020 = Enforcement begins
How Does the CCPA Define Personal and Public Information?
The CCPA defines “personal information” as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
CCPA documentation goes on to provide specific examples of personal data. The list includes, but is not limited to, the following identifiers:
- Identifiers such as a real name, alias, address, email address, social security number, license number, passport number, or similar identifiers.
- Commercial information including property records, product purchases, and other consumer histories and tendencies.
- Biometric data such as fingerprints and facial recognition data.
- Internet or network activity data, such as IP addresses, browsing history, search history, and interactions with online sites or advertisements.
“Personal information” does not include publicly available information. As it pertains to CCPA, publicly available information refers to data that is lawfully made available by federal, state, or local government records.
Publicly available information is data lawfully published by federal, state, or local government. Public data is not considered personal information.
The following are examples of publicly available information, which is not subject to CCPA regulations:
- Government real estate records & security interest filings
- Widely distributed media sources, such as a telephone book, television or radio, online or print publications
- Mortgage information included on public records
How Do I Know if My Business is Affected by CCPA?
The CCPA applies to any for-profit organization that collects, shares, or sells California residents’ personal data and meets any of the following three criteria:
- Has an annual gross revenue of $25 million or more.
- Possesses the personal information of 50,000 or more consumers, households, or devices.
- Earns more than half of its annual revenue by selling personal information.
To help your team discuss the implications for your business, here are some questions you can ask yourself:
- Does our business meet the requirements for CCPA?
- What does our business need to be compliant?
- How can our customers opt out directly from the website?
- What other information should be on our website?
- Should we add language to our contracts (existing and new ones)?
- Is there anything we need to do in terms of data/security breaches?
- Anything that we need in terms of certifications?
If My Business is GDPR Compliant, Does That Mean it’s Also CCPA Compliant?
The CCPA and GDPR have many similarities in terms of how they protect personal data. But, there are several key differences between the two regulations.
For one, the GDPR applies to data controllers and data processors. The CCPA only applies to for-profit businesses that meet one of the aforementioned requirements.
Check out our infographic on GDPR compliance – A Marketer’s Cheat Sheet To European Data Privacy Regulations
The GDPR also provides consumers the right to correct inaccurate personal data and restrict or object to data processing. The CCPA does not specifically include these rights. But, the CCPA does include additional requirements that the GDPR does not.
These requirements include adding a “Do Not Sell My Personal Information” option on business websites, disclosing personal information sale or collection to the consumer, and nondiscriminatory treatment of consumers who exercise their CCPA rights.
In short, you should not assume that your GDPR-compliant business is also CCPA compliant.
What are the Penalties for Violating CCPA?
The California Civil Code for CCPA includes the seriousness of the misconduct, past violations, the persistence of misconduct, the company’s net worth, and other factors.
According to this, a business that does not adhere to the new regulations will be at risk for the following sanctions and remedies:
- Companies can be authorized to exercise opt-out rights on behalf of California residents
- Companies that experience a data theft or other security breach can be ordered to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater
- Companies can also face any other judgment a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it
- In addition, companies can face a fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation
How Do I Make Sure My Business is CCPA Compliant?
There are several steps your business must take to ensure consumers are able to exercise their rights under the CCPA. These are as follows:
- Provide two or more methods for consumers to submit requests about their personal information. At a minimum, these methods must include a toll-free telephone number, and at least one additional method such as a designated email address or online form.
- Establish protocols to respond to consumer requests within 45 days of receiving them.
- Update your privacy policies to include new CCPA privacy rights.
- Analyze your data collection and documentation processes. Ensure that you are able to track how you collect data, how you use it, where it resides, and have a system in place to provide consumers with this information.
- Provide consumers with notice that their personal information is being sold. Implement a process to honor opt-out requests in a timely manner.
- Assess and document your data security practices to ensure your business takes the necessary steps to avoid data theft and any other security breaches.
Make sure your legal team reviews the entire CCPA initiative to identify all steps your business must implement to remain compliant. We highly recommend that you educate your entire staff on the key requirements of CCPA compliance.
Verifying Customer Privacy Requests
Once the request is made, your business must honor the consumer’s decision for at least 12 months.
Any business that falls under the purview of CCPA needs to have a “Do Not Sell My Personal Information” link or button that appears somewhere “conspicuous” on the website homepage as well as “any internet web page where personal information is collected”.
The link will need to take visitors to a webpage where they can opt out of having their personal information sold or shared.
Similar to the “Do Not Sell My Personal Information” link, all impacted businesses will need to provide a toll-free phone number for California residents to exercise the same rights under CCPA.
CCPA and the Future of State-Level Data Privacy
Although California is the first state to implement such privacy regulations in the U.S., it certainly will not be the last. More states have begun to draft similar legislature and we’ll likely see many similar regulations pop up in the next several years.
We understand the challenges that come with understanding new data privacy acts, particularly when there are distinct differences between each regulation.
But, the GDPR, the CCPA, and any data privacy act to follow all serve an important purpose. And, that is to give consumers more control over their personal data.
As the world of data and business intelligence continues to evolve, these new protection acts are a step in the right direction when it comes to data security and responsibility.