The California Consumers Protection Act or the CCPA was approved in June of 2018 by Governor Brown. It came into force on January 1, 2020. It is one of the most recent laws protecting people’s rights on the Internet. Implementation of this act does not mean that all previous acts and laws become inactive. You still need to comply with every law in the state and remember that the CCPA compliments all other laws.
According to this law, companies should provide information on how, what, and why consumers’ data is processed and collected. Moreover, this act enables you to receive information about the selling of your data and gives you the possibility to opt-out from it. This act requires companies to make all the processes with consumers’ data more transparent and clear for them.
Whom Does the CCPA Apply To?
The CCPA applies to companies under the condition that:
- Annual gross revenues larger than $25 million, or
- Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year, or
- Make 50 percent or greater annual revenue from selling California residents’ personal information.
These companies can collect and process your personal information from cookies, but also they should protect it. For the CCPA it doesn’t matter how small or big your business is. If your business meets one of these three criteria, your company is under the law and you should comply with it. It worth noting, that some health and financial companies should not comply with CCPA, as far as they are under other federal security laws, e.g. HIPAA (Health Insurance Portability and Accountability Act) and others.
What is Personal Data in the CCPA?
The definition of personal data in the CCPA consists of a lot of components. It includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This definition contains much more identifiers of personal data than traditional explanation. In the text of the law, you can find a list of examples of personal data. Here are some of them:
- Biometric information;
- Geolocation data;
- Browsing and search history;
- IP address and etc.
It bears mentioning, that publicly available information is not personal information according to definitions given in the CCPA and GDPR.
- What kind of information do you collect and process;
- Why and how do you collect and process the information;
- How users can request the access, change, move, or deletion of their information;
- The method of verification of the user who makes a request.
This list is not full, you can add more points according to the law to be compliant with it.
The Prior Consent
Also, you should remember the prior consent. This law does not require prior consent for processing and collecting information. But for minors, who are 13-16 years old, you should obtain prior consent before selling their data. As for minors younger than 13, you have to have consent from their parents or guardians.
Furthermore, on your site should be a link that allows users to opt-out of having their data sold. You should set up this link to be compliant with the CCPA. You are not allowed to require users to make an account to opt-out, because this process should be as easy as possible. In other cases, you are free to sell information about your users.
Non-compliance could result in huge fines up to 2500$ per unintentional violation and 7500$ per intentional violation. It’s hard to imagine how much can you pay for even an unintentional violation. Moreover, consumers just need to show that the company has violated the law without any evidence of financial loss.
How to Be Compliant with the CCPA
To be compliant with the CCPA business should “implement and maintain reasonable security procedures and practices” to protect consumers’ data. One of the most dangerous things in data protection is a data breach. It is crucial to know who has access to the data and what they could do with it. The CCPA security standards oblige the organizations to provide access to all personal information stored in corporate databases to the consumer on request.
DataSunrise has a solution that could make your life easier. Thanks to our product and, especially, the Compliance feature, your sensitive information will be always protected. This feature constantly searches for newly added personal data. That is why databases and data are protected. Moreover, we have a DSAR feature.
DataSunrise’s DSAR provides powerful search and reporting mechanisms. The DSAR functionality enables you to search across your databases and get the personal data of interest in compliance with the CCPA security standards. This data can be downloaded from the database and displayed as a report, which is a very useful thing for compliance assessment.