What to Know About California’s Data Privacy Law (CCPA)

Data privacy has become an increasingly important asset for consumers, but the ability to collect and share that data has become more and more valuable for businesses at the same time. Before using data they collect, companies must put systems in place to ensure it is secure and that consumers are not subject to intrusion or privacy violations as a result of unsafe data collection or sharing practices. Putting customer data at the risk of falling into the wrong hands and potentially violating their privacy puts your business at risk of running afoul of the law.

The rise of California’s Consumer Privacy Act.

As data privacy becomes more important than ever in the view of consumers and regulators. authorities are developing new rules and regulations concerning data privacy for businesses of all types. One in particular, the California Consumer Privacy Act or CCPA, which came into effect in January 2020 and enforcement of which began about six months later, considerably changed how firms that conduct business in California can gather, store and use personal information from consumers and users. The CCPA was designed to offer a level of legal protection to covered consumers that was previously unavailable, and the move is apt to set off similar legislation in other states.

The CCPA applies to firms in certain categories.

The CCPA applies to for-profit businesses that a.) collect or sell personal information of California residents and that b.) conduct business in California. In other words, it is not necessary for companies to be based in California or to have any physical presence in the region to be subject to CCPA.

They must also meet at least one of these criteria:

1. The business generates $25 million or more in annual revenue.
   
   
2. The business purchases or sells personal data of 50,000 or more California residents.
   
   
3. The business generates more than half its annual revenues selling personal information of California residents.

The CCPA confers new privacy rights.

As per the CCPA, any California resident has a right to get a full list of data a business gathers about them and also entitled to know which businesses have shared that data with any third party. In certain cases, if a company violates the privacy guidelines in the CCPA, consumers have the right to sue, even if there has not been an information breach.

Companies that violate the CCPA may face fines, legal action.

The state’s attorney general may recover damages for CCPA violations that aren’t cured within the 30-day period. The fine can be up to $7,500 per record affected for intentional violations and up to $2,500 for negligent violations. In cases for which the issue is not cured, or in which the attorney general declines to assess a fine, consumers can bring a class-action suit.

The CCPA includes a broad swathe of data.

The CCPA takes a wide approach on which data can be considered “personal information,” such as:

• Identifying information. This category includes an individual’s real name, postal address, online identifiers, IP address, other unique personal identifier(s), account name, email address, Social Security number, passport number, driver’s license number or other similar information.

• Any protected classification information that also comes under California or federal law.

• Information such as records of personal property, of services or products purchased, or any other information that shows users’ purchasing or consuming histories or trends.

• Any biometric data.

• Internet activity, comprising any information including but not limited to search history, browsing history or any data related to a consumer’s interaction with a website, application, or advertisement. 

• Geolocation information.

• Professional or job-related data.

• Educational data that is not publicly available.

Companies subject to the CCPA must abide by the following terms:

1. Consumers must be informed which categories of personal information are to be collected and its purposes.

2. Contract terms implemented with service providers must prohibit any actions outside the CCPA without first notifying the consumer.

3. California residents should be allowed to opt-out of the sale of their information.

4. Be ready to disclose to consumers upon their request what categories and pieces of personal information are collected.

5. A toll-free number or online form must be provided for consumers to access and request deletion or opt-out of the sale of their personal information.

6. Opt-in consent must be obtained from children between ages 13 to 16 before selling their information; a parent or legal guardian is required to opt-in on behalf of children less than age 13.

7. The same products, service quality and price levels must be provided to all consumers without differentiation.

8. Service providers must ensure the process, use or sale of consumer personal information complies with the CCPA.

9. Service providers should verify that any subcontractor activity aligns with the CCPA.

10. Third-party companies must notify consumers before selling their personal information and provide the ability to opt-out. Also, third parties must use consumers’ information according to the promises made at the time of collection.

Tools companies can use to comply:

• Update your privacy policy with a description of a consumer’s rights under the CCPA. Keep it straightforward and easily accessible.

• Classify your data. Document the categories and specific pieces of consumers’ personal information collected, the sources of the information, the purpose for collection, and the categories of third parties the information is shared with.

• Implement internal processes to respond to consumers’ rights requests. The CCPA aims to give consumers more control over their data, so businesses must be ready to respond to their requests in a timely manner.

• Adopt appropriate data security practices and solutions. Networking operations, IT, cyber-security, software and other measures related to the tech sector of any company must be reflect a good understanding of the law’s implications for the digital environment.

• Opt for solutions such as encryption and data loss prevention products. All important data should be encrypted, even if not in use. Portable devices should also use encrypted disk solutions if they house important information. 

• Provide consumers notice that their data is being sold to a third party.