Summary: The California Consumer Privacy Act (CCPA) is a ground-breaking data privacy regulation that came into effect on January 1, 2020, providing new data privacy rights to California residents. This article discusses what CCPA is, who it affects, how its five pillars impact business operations and how compliance to this law can benefit businesses to grow their brand and improve customer loyalty and trust.
You finally managed to get a handle on the whole GDPR business. But wait, the fun's not over yet! Now you must contend with the California Consumer Privacy Act (CCPA), which took effect on January 1 2020, and comes with its own set of rules and headaches.
What is CCPA?
The California Consumer Privacy Act is meant to strengthen consumer protection and the privacy rights of California residents. The new legislation applies to all businesses to provide services or products to consumers in the Sunshine State.
Irrespective of your personal take on the CCPA, you have to agree that the Act is revolutionary. In fact, pundits equate it to the beginning of a GDPR-like structure within the United States.
Surprisingly, America has never had a federal law governing the data rights of its citizens. But under the CCPA regulations, organizations must be fully transparent regarding the collection, sharing, and use of consumer information.
So Why California?
Because it makes the most logical sense. California has always been a pioneer of sorts as far as data privacy regulations are concerned. The state previously operated under CalOPPA (California Online Privacy Protection Act). And now the CCPA serves as a potential starting point for sophisticated privacy regulations that can be adopted nationwide.
CalOPPA (California Online Privacy Protection Act). And now the CCPA serves as a potential starting point for sophisticated privacy regulations that can be adopted nationwide.
While the law has multiple subsections, companies that employ or service Californians will find the following five pillars to have the greatest impact on their present operations:
- Protect individual rights to opt-out of data selling
- Protect individual rights to data erasure and access
- Identify and fix vulnerabilities and gaps in information systems
- Update SLAs with third-party data processors
- Map in-scope personal information and instances of selling private data
Your organization may already adhere to GDPR (General Data Protection Regulation) requirements, but you need to get your business operations up to speed with CCPA standards within the grace period (six months from the date of official CCPA activation).
How Does CCPA Matter from Data Privacy Standpoint?
The CCPA provides permanent residents of California with new data privacy rights. They can know what and how personal information is used, request deletion and prevent businesses from collecting further information about them. Sponsored by the advocacy group Californians for Consumer Privacy, the CCPA has been termed "the most comprehensive privacy law in the country."
The implications of the landmark CCPA law extend far beyond California and represent a considerable shift in attitudes regarding data privacy in the US. For example, One Trust survey found that only 2 percent of businesses considered themselves CCPA compliant as of late August 2019. But the requirements are forcing businesses to take consumer data privacy seriously.
What's more, a report from Capgemini Research Institute shows that consumers want to do business with organizations that enforce data privacy over those that don't. 39 percent of consumers from the survey revealed they would purchase more goods from companies that safeguard their data, while 70 percent of respondents want to stop dealing with businesses that lack sufficient data privacy protection measures.
This is why organizations need to buckle up and strengthen their data security processes. They must pay attention to customer privacy while following the regulations laid down by data privacy regulation laws like the CCPA. These laws empower consumers to control personal data.
Also, complying with these regulations help businesses grow their brand and improve customer loyalty and trust. So, companies must have the right data protection methodologies and tools in place. Of course, juggling accessibility and security is hard, but businesses will get tangible benefits in the long run.
Thus, data privacy must be at the forefront of an organizations' business strategy to save time and money.
CCPA applies to all for-profit organizations that operate in California and either:
- Have a minimum annual gross revenue of $25 million
- Make more than half of their annual revenue by selling consumer's private data
- Own data on more than 50,000 households, devices, or consumers
Business owners operating in California and collecting, sharing or selling Californian consumer's private data will probably be governed by the CCPA if they meet any of these benchmarks. The reach of the CCPA extends to organizations that own, are owned by, or share common branding with a covered businesses.
For that reason, businesses modify their data handling practices for implementing CCPA:
Find out whether CCPA applies to any aspect of your organization. Even if the measures don't seem to apply to your business, you should read the whole law since the definitions of "sale" and "personal information" are comprehensive.
Perform Gap Analysis
If CCPA applies to your business, identify and analyze gaps or loopholes that exist between your present rights management policies and the ones you must enact to fulfill the requirements.
Review Activities and Processes
Understand the business activities and processes covered by the law and pay attention to the requirements involving minors.
Check Map Data Usage
Have a transparent, clear view of the data usage within your organization. If necessary, develop in-scope data flow map detailing how you sell, collect and disclose personal details. If you already have a map in place, update them with new steps necessary under CCPA.
Understand Individual Rights
CCPA individual rights may apply to different activities or processes within your organization, including:
- Data portability
- Selling/Sharing Disclosures
- Opt-in or Opt-out
Know Financial Incentives
Understand whether your organization will provide financial incentives for consumer data. Under the CCPA, businesses can offer reasonable incentives to consumers as compensation for the sale, deletion, or collection of personal data as long as:
- The business informs consumers about the incentives
- Gives consumers the opportunity to revoke participation and consent at any point
- Gets opt-in consent before enrolling the consumer in this program
- The incentive is not unreasonable, usurious, coercive, or unjust
Update your business' individual rights management processes to meet CCPA specifications and ensure your company's existing privacy policies include all disclosures under CCPA.
If your business has contracts in place with third-party vendors with whom your share collected personal information, modify the documentation to include every CCPA provision.
Establish Processes for Subject Access Requests
Define processes for handling SARs you receive from customers. Already have SAR policies in response to GDPR? Update them to meet CCPA requirements as well.
Key Modifications Released by CA's Attorney General
The California Attorney General announced multiple changes to the CCPA proposed regulations on 7 February 2020. The modifications included changes to the Right to opt-out, mandatory content of CCPA notices, and the permissible use of data by service providers. Businesses present working toward CCPA compliance should expect the Attorney General to commence enforcement once the rulemaking process concludes.
Most of the modifications are business-friendly:
- Concept of "Personal Information"- Evaluating whether data constitutes "personal information" depends on whether the business links or could possibly link the data to a specific household or consumer.
- Additional Service Provider Rights- Service providers can now process personal information for retaining and employing subcontractors that meet CCPA standards, detecting security incidents, complying with state or federal law investigations, or internal use by the service provider to improve or build the quality of its services.
- Sales Notification- The modifications do away with the requirements that if organizations receive a request to opt-out, they must notify every third-party to which the consumer's personal data was sold within 90 days preceding the request.
- Opt-Out- The modifications make it easier for consumers to execute opt-out requests.
- Data Brokers- Organizations are expressly relieved of any obligation to supply notices at collection if they have registered as a data broker with the Attorney General and comply with specific requirements in their registration submissions.
- Biometric Data - Unique biometric data is now included in the list of data categories businesses need to disclose during a Right to know request.
- Mobile Apps- The modifications add several references to the obligations of organizations that collect data via mobile apps, including an obligation to provide a link to the notice before downloading and "just-in-time" notices.
The Road Ahead
As soon as the CCPA was enforced at the beginning of the year, plaintiffs filed a data breach class action lawsuit against Hanna Andersson LLC and Salesforce, alleging CCPA violations. While the eventual result of the legal action is unknown right now, the nature of the lawsuit is important. It sends a clear message that CCPA compliance must be a top business priority since it is clearly at the forefront of the minds of consumers.
Aside from addressing CCPA needs, businesses must find solutions to achieve the greater goal of building customer trust. And in the digital economy where a single poor experience is enough to make the customer switch to the competitors, trusted engagements are important. And the CCPA goes a long way in helping achieve the same.
The CCPA aims to help businesses operating in California be as transparent as possible with the way they handle and disclose consumer information. This legislation will pave the way for other state-wide legislation to provide similar privacy protection and data rights.