California is well-known for spearheading game-changing regulations. Lawmakers created the California Consumer Privacy Act (CCPA) as an alternative to stricter legislation, so the details of CCPA are somewhat blurry to most individuals. In this post, we’ll share with you the information you need to know about CCPA and how it applies to your business in Idaho.
What is CCPA?
As mentioned, CCPA stands for California Consumer Privacy Act. It went into effect on January 1, 2020. If a company doesn’t abide by CCPA, Californians can file private lawsuits pursuing civil penalties for violations.
Much of the confusion surrounding CCPA is because the legislation works as an alternative to the California Consumer Personal Information Disclosure and Sale Initiative. Also, CCPA followed a series of other state laws including:
- Online Privacy Protection Act
- Privacy Rights for California Minors in the Digital World Act
- Shine the Light Act
However, amid all of the new state laws, CCPA is the most similar to the European Union’s General Data Protection Regulation (GDPR). Nevertheless, this California-specific law protects the collection and sale of consumers’ personal information. It also provides consumers specific rights regarding their data, as well.
What organizations are covered by CCPA?
Up to 500,000 organizations could be affected by the new data privacy law. As imagined, companies who do business in California will be impacted by CCPA—aside from nonprofits, however. In short, any company that collects Californians’ personal information for themselves or on behalf of another company must comply with CCPA. This applies to a lot of Idaho companies doing business in California.
To be more specific, an organization must satisfy at least one of the following to comply:
- The company’s annual gross revenue is more than $25M
- The company buys, sells, or shares data of more than 50,000 California residents, households, or devices
- The company derives at least 50% of its annual revenue from selling consumers’ data.
What is Personal Information under CCPA?
Arguably, the definition of “personal information” could be the most complicated part of understanding CCPA—or any data privacy law, for that matter. Still, personal information broadly includes data that can identify, relate to, describe, be associated with (or can reasonably be associated with) a particular consumer or household.
What rights do consumers have over their Personal Information under the CCPA?
Even though it’s the most comprehensive data privacy law in the US, CCPA undoubtedly gives Californians more control over their data. This approach has a few facets, though, such as:
CCPA allows Californians to know the “what, who, and why” surrounding their data. In other words, a business that collects a consumer’s personal information must inform the consumer when or before they collect the information. The business is also obligated to tell the consumer what was collected and for what purpose.
Access and information
In the same transparent vein, CCPA gives consumers the right to request information regarding the following:
- The categories of personal information businesses are collecting about them
- The sources from which personal information is being collected
- The categories of personal information sold to third parties
- The categories of personal information disclosed for business purposes
- The categories of third parties to whom the personal information was sold or disclosed
- The business or commercial purposes for which the personal information was collected or sold
- The “specific pieces” of information collected
Consumers now have the right to request that covered businesses and their direct service providers delete personal information collected about them.
Consumers can “opt out” of the “sale” of their personal information. Also, covered organizations must provide a “do not sell my personal information” link on their business’s internet homepage. The link must connect to a web page where consumers can opt out of having their personal information sold to third parties.
The Act also prohibits organizations from discriminating against consumers for exercising their CCPA rights.
CCPA Enforcement and Penalties
Remember that if a company fails to comply with CCPA, Californians can file private lawsuits. That said, consumers can collect between $100 and $750 for each event. And this is in addition to the California Attorney General seeking civil penalties per violation, too. However, each unintentional violation with a maximum penalty of $7,500 is subject to a preset $2,500 fine.
What should covered organizations do to prepare for CCPA?
Keep in mind that although this Act is designed specifically for California, it will impact organizations all across the country, mainly because CCPA protects Californians who do business anywhere in the US. And no savvy business person is going to walk away from the fifth largest economy in the country. Instead, lawyers anticipate companies all over the US to abide by the new data privacy law, changing the dynamics of business in the future.
To keep up with CCPA regulations, here are a handful of actions to consider for your business:
- Conduct an internal audit to identify and map personal information.
- Review and identify existing (or needed) organizational and technical procedures to make compliance smoother.
- Create and review your data retention schedule, making the obligation to safeguard data a top priority.
- Update consumer notices of collection and processing activities.
- Identify personnel who are responsible for handling consumer access rights and other rights under CCPA. (Note: Documenting training and training, in general, are essential.)
- Review agreements with service providers that have access to consumer information.
- Make sure to have sufficient insurance to cover CCPA non-compliance liability.
Now you should be better prepared for the CCPA.