5 things you need to know about CCPA
The world of data privacy loves acronyms—CCPA, PII, GDPR, DPIA, to name a few. If your eyes glazed over that first sentence, don’t get discouraged. We’re here to help with a primer on the data privacy law that’s rolling out in a few months—the CCPA. And while we try to provide as much information as possible, please remember that we’re not lawyers; we’re simply a digital agency specializing in design and technology, and trying to help our clients stay on top of the ever-shifting privacy landscape.
What is the CCPA?
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020 and is a California state law defining privacy rights and consumer protections for California residents. It has strict guidelines on what businesses can do with the personal information they collect from consumers, including giving Californians the right to have their personal information deleted. The CCPA also requires businesses to disclose what information they collect and how they’re using it within 45 days of a request.
Previously, companies could do pretty much whatever they wanted with your data. With the CCPA, Californians—and, by extension, probably all Americans—will enjoy data protections similar to what Europeans receive under the 2018 privacy law known as GDPR (General Data Protection Regulation).
What does this mean for consumers?
Under the CCPA, California residents have these rights:
- To know what personal information is being collected about them;
- To request a copy of any personal information that has been collected about them;
- To have their personal information deleted (with certain restrictions);
- To keep their personal information from being shared with or sold to third parties; and
- To receive equal service levels and prices even if they exercise their privacy rights.
Because California is such a large and influential state—having the equivalent of the fifth largest economy in the world—we expect most businesses will comply with the CCPA rather than turn their backs on providing goods and services to this market. And instead of creating separate systems to handle California customers, legal experts anticipate that companies will apply the CCPA nationwide, giving this landmark data privacy protection to all Americans.
How does the CCPA define Personal Information?
The CCPA uses a broad definition of Personal Information to be any information about a consumer or household, including name, address, email, account name, Social Security number, passport details, education and work history, biometric data, IP address, phone number, PIN, geolocation data, internet browsing information, products purchased or considered for purchase, inferences drawn to create a profile about the individual to reflect preferences, and more.
Does it affect your business?
If you have even the slightest chance of providing a service for a resident of California then your business should be aware of this law, but you might not be legally required to comply. The CCPA threshold covers three types of businesses:
- Companies with more than $25 million in gross revenue,
- Businesses with data on more than 50,000 consumers, or
- Data brokers or firms that make more than 50% of their revenue selling consumer data.
If your company isn’t large enough to be impacted, be aware that this law is creating rumblings in Washington, D.C. for a federal law of similar scope.
What do you need to do if your business is impacted?
You’ll definitely want to discuss this in more detail with your legal team, but here’s an overview on what your business needs to do to stay in compliance with the law.
Website updates
Revise your website’s home page to include a “clear and conspicuous link” titled “Do Not Sell My Personal Information.” Your privacy policy will most likely need significant updates as well, including informing consumers of their right to be forgotten, disclosing categories of personal information collected and how it will be used, and consumers’ right to opt out of the sale of their personal information.
Other guidelines
- Ensure you have the required mechanisms and communications channels in place, as specified by the CCPA, so you can receive personal data disclosure requests from California residents. This includes the mandatory “Do Not Sell My Personal Information” link on your website’s homepage to a page that enables them to opt-out. You must also provide a telephone number where consumers can make data disclosure requests.
- If a consumer asks for transparency about their personal information, provide it to them within 45 days.
- If a consumer asks for their data to be deleted, delete relevant data (subject to certain restrictions) within 45 days.
- Comply with requests to stop sharing consumers’ personal information with third parties.
- Don’t discriminate against consumers who exercise their right to privacy. You need to provide the same level and quality of service to everyone, regardless of their privacy requests.
- Ensure that data sharing with any third-parties meet all CCPA restrictions.
It’s not all doom and gloom. You can actually use the CCPA as a competitive advantage. Your business does well when it provides quality service by fiercely protecting your customers’ information. Communicate transparency about data collection to drive customer loyalty. Your customers will trust you more if they believe you care about their data and that you’ll act as a responsible steward of that data.