The California Consumer Privacy Act was signed into law on June 28, 2018.
Also known as the right to be forgotten act, it allows Californians control over their data.
Under the CCPA, they can demand to see personal information a company has saved on them. They can also request the company to dispose of it. And, consumers can ask to see a complete list of third parties their data has been shared with.
Notably, the CCPA allows consumers to sue if companies violate privacy guidelines. Even if a data breach did not occur.
When does the CCPA go into effect?
The CCPA becomes effective January 1, 2020.
What if my business is not in California?
The CCPA affects any business holding data of California citizens. One of the following qualifications must also be met:
- The business has at least $25 million in annual revenue.
- The business has personal data on at least 50,000 people.
- Or, the business collects more than half of their revenue from the sale of personal data.
With these qualifications, companies based outside the state of California must follow this law.
What does my business need to do to be compliant?
Companies must put in place new processes to comply with the CCPA.
First, companies must offer consumers the choice to not to have their data shared with third parties. This means companies will have to segment data per the users' privacy choices.
There are also the following compliance measures outlined in the bill:
- Put in place processes to get parental consent for minors under 13 years for sharing data. And, get consent of minors between 13 and 16 years old for sharing data (Cal. Civ. Code § 1798.120(d)).
- Add a Do Not Sell My Personal Information link on the home page of the website of the business. The link should direct users to a web page so they may opt out of the sale of their personal information (Cal. Civ. Code § 1798.102).
- Create processes for submitting data access requests. Including, at a minimum, a toll-free telephone number (Cal. Civ. Code § 1798.130(a)).
- Update privacy policies with the newly required information, including a description of California residents' rights (Cal. Civ. Code § 1798.135(a)(2)).
- Do not request opt-in consent from a California resident for 12 months after they opt out (Cal. Civ. Code § 1798.135(a)(5)).
What if my business is not in compliance?
Companies have 30 days to comply once regulators inform them of a violation.
If the issue isn't resolved, there's a fine of up to $7,500 per record:
This does not include the bill’s provision that allows individuals the right to sue. So, there are extra financial risks.
Meanwhile, companies that suffer data breaches can pay damages between $100 to $750 per record
How is CCPA different from GDPR?
The European Union’s General Data Protection Regulation (GDPR) went into effect in spring of 2019.
GDPR does have some stricter regulations than CCPA, such as requiring a 72-hour window in which companies must report a data breach.
But the CCPA takes a wider view of the definition of private data. Name, address, email, social security number, and other traditionally identifiable information is covered.
The CCPA also covers biometric data, geolocation data, and records of products purchased. Even audio, electronic, visual, thermal, and olfactory data is covered by the bill.
If you think your business may need to abide by the CCPA, don’t wait on putting new processes in place. Get started now. You could save yourself a lot of money, or even your business.
Read more about the CCPA here: