California Consumer Privacy Act (CCPA)

What does CCPA mean?

The California Consumer Privacy Act (CCPA) is a statewide privacy law that regulates how businesses around the world can handle the personal information of California residents.

The date of entry into force of the CCPA is January 1, 2020 and is the first such law in the United States.

The three legal thresholds of the CCPA for companies

The CCPA applies to any commercial business in the world that sells personal information of more than 50,000 California residents annually, or that has an annual gross income of more than $25 Million, or that obtains more than 50% of its annual income of selling personal information of California residents.

The sale of personal information is defined in the CCPA as “sell, rent, disseminate, disclose, disseminate, make available, transfer or otherwise communicate orally, in writing, electronically or other methods, the personal information of the consumer by the business to another company or another third party for a monetary value or other type of economic consideration…”

Get the California Consumer Privacy Act (fact sheet) PDF here.

If a company shares a common brand (e.g. same name, service mark or logo) with another business subject to the CCPA, that company will also be liable to the aforementioned.

Under the CCPA, California residents (consumers) have the right to opt out of the sale of their data to third parties, the right to request the disclosure of data that has already been collected and the right to demand the elimination of the information collected.

Additionally, California residents have the right to the same services and price, consumers cannot be discriminated based on their choice for the exercise of their rights.

Failure to comply with the CCPA may result in fines for companies of $7,500 for infringement and $750 per affected user for civil damages.

The power to enforce the CCPA rests with the office of the California Attorney General, who, until July 2020, has to specify the regulation of said application.

However, the provisional period between January and July 2020 does not become a grace period and companies are subject to civil lawsuits for the collection and sale of data from January 1, 2020.

What is personal information under CCPA?

The ratification of the California Consumer Privacy Act is considered a turning point in regards to US privacy standards. At the center of this reform is the integral concept of personal information.

With this in mind, take a look at the actual definition of personal information in accordance with CCPA. Section 1798.140 of this law states that “personal information means information that identifies, relates, describes, may be associated with, or could be reasonably linked, directly or indirectly, with a particular consumer…”

From this definition, four aspects of critical data constitute personal information that they understand but are not limited to:

• Identifiers such as any specific personal identifier or Internet Protocol addresses.
• Activity data of the digital network, such as browser records, search history and any information related to the participation of a user in a web page, application or advertisement.
• Audio, electronic, visual, thermal and olfactory data.
• Geolocation information.

In addition, CCPA stipulates that any conclusion made from different elements of personal information data to generate a profile on a consumer that reproduces the tastes, attributes, cognitive patterns, biases, behaviors, perspectives, intelligence, capabilities and competencies of the user constitutes information personal.

Who does the California Consumer Privacy Act apply to?

For profit companies that collect and control personal information of California residents (in the future it will be extended to the entire US country), do business in California and also meet any of these three conditions:

• They have gross annual income greater than $25,000,000.
• Receive or disclose annually personal information of 50,000 or more residents, homes or devices.
• They obtain 50% or more of their annual income from the sale of this personal information.

You can see it in more detail in Section 3. Title 1.81.5 and in Section 1798.140, of the original document.

Important updates about the California Consumer Privacy Act (CCPA)

What should I do to comply with the CCPA law?

You can still collect and even sell personal information, but you must provide users with the option of not participating in this process. The law explicitly says that if a company sells the personal information of users, it must provide a clear link on its website, entitled “Do not sell my personal information.” In addition, it is illegal to offer different services or features based on the choice of inclusion or exclusion. All customers have to continue benefiting from the same services.

As in the case of GDPR, you have to grant customers the right of access to the data, to erase their personal data and to request the disclosure of all categories of personal data that are being collected and sold (if that is the case). This will be done annually. If you request it, you must provide the personal data of the 12 months prior to the request. In addition, the client may only submit such claims a maximum of twice a year.

Also, be sure to include the following in your privacy policy:

• All categories of information that you collect and process.
• What are these categories of information used for.
• How the information is being collected.
• What is the procedure to request access, modification, transfer or deletion of personal information.
• How the identity of the person submitting an application is verified.
• If personal data is sold, then this has to be described here.
• How to choose not to sell your data.

There are many on-premise and cloud solutions that can help you comply with CCPA. Our solutions Recordia and eComFax can help you comply with CCPA and collect, protect and securely store data which is easy to retrieve, analyze and delete.