What is the California Consumer Privacy Act (CCPA)?

by Aisling Moriarty September 25, 2019
What is the California Consumer Privacy Act (CCPA)?

Over the last few years, data protection has become a key topic, the peak of which was the introduction of the EU’s GDPR legislation, which came into effect in January 2019. Now, we are seeing similar legislation starting to appear in the US. With the CCPA Act coming into effect on january 1st 2020. Many people are beginning to ask what is the California Consumer Privacy Act (CCPA)?

The first thing to note, is that the CCPA is not just a version of GDPR in the US, the CCPA has additional requirements, however you will not have to start from scratch if you are complaint with GDPR. Continue reading if you want to find out what is the California Consumer Privacy Act (CCPA)?

What is the California Consumer Privacy Act (CCPA)?

To put it simply, the CCPA is a consumer privacy act, which allows California residents to request all information a company has about them and a list of all third parties with whom their data was shared.

Which companies have to comply with CCPA?

All companies that meet the following conditions have to comply with the CCPA.

  • Any business that has a gross revenue over $25,000,000
  • Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
  • That receives 50 percent or more of its annual revenues from selling consumers’ personal information.

Who does the CCPA protect?

The CCPA protects residents of California and gives them the following rights to:

  • Find out what personal information is being collected about them
  • Find out if their personal information is sold/disclosed and to whom.
  • Refuse the sale of their personal information.
  • Access their personal information.
  • Get equal service and price, even if they exercise their privacy rights.

What is a ‘consumer’ under the CCPA?

Under the CCPA act, a consumer is defined as:

  1. a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section reads on September 1, 2017
  2. however identified, including by any unique identifier”

What are the fines for non-compliance with CCPA?

Fines under CCPA are calculated per violation with a maximum cap of $7,500, this figure is only for intentional violations; violations without intent are subject to a maximum fine of $2,500.  What differentiates the CCPA from other privacy acts and is that on top of these fines, is the right of “natural persons” to bring lawsuits for the breach of their “non- encrypted or non-redacted personal information” – even with no evidence of actual damage. Under CCPA, individuals can receive between $100 and $750 per incident or actual damages whichever is greater.

If my business is compliant with GDPR is it compliant with CCPA?

No, unfortunately being compliant with GDPR does not mean you are automatically compliant with CCPA. However, you will comply with many aspects but you will need to take extra measures to comply with CCPA. For example, you will have to change your privacy policy to include a “Do Not Sell My Personal Information” link and ensure you have methods for request to access, change and erase data as well as a way to verify the identity of the person requesting said data.

Are companies ready for CCPA?

Surprisingly, only 55% of companies plan to be ready by the law’s Jan. 1, 2020 effective date, according to the OneTrust and IAPP (International Association of Privacy Professionals) research. With the implementation date quickly approaching, it is critical that you being preparing for CCPA to reduce risks of breaches and fines.

How can my company prepare?

As mentioned above if you are compliant with GDPR you will comply with many aspects of CCPA.  Here are a few key items you need to have to comply with CCPA.

  • Ensure you update privacy policy including why and what personal information you collect and process and how users can request access, change or erase their data.
  • Have a verification method for identification of the person making such requests.
  • Have a “Do Not Sell My Personal Information” link on your home page.
  • Get prior consent from minors between 13-16 years old before selling their personal data. For those under the age of 13, parents’ permission is needed.
  • Provide training for employees and define a process for authenticating and responding to requests or denying improper and untimely requests.
  • Ensure an up to date data inventory process as new consumer information is collected and deleted.

There are many on premise and cloud solutions that can help you comply with CCPA. Our software solutions Recordia and eComFax can help you comply with CCPA and collect, protect and securely store data which is easy to retrieve, analyze and delete.

Share it!