CCPA Compliance
CCPA or California Consumers Protection Act is the newly revised personal data protection law. It was passed by the State of California, noticing the increased role of consumer’s private information in business practices and also its implications surrounding the data collection, usage, and protection procedure.
The law is said to come into effect on January 1, 2020, and the following section summarizes the importance of law, including its application and steps to compliance.
Business is clearly subject to the CCPA only if it
- Does business in California
- Is profit-oriented
- Collects consumer’s personal information (PI)
- Defines the purposes and means of processing consumer’s PI
Besides, the CCPA applies to a business that
- Earns annual gross revenue more than $25 million
- Buys, receives, sells, or shares PI of 50,000 or more consumers, devices, or households for commercial reasons.
- Gains 50% or more of its yearly revenue from selling consumer’s PI.
The CCPA does not apply to the following businesses
- Personal information gathered, handled, sold, or disclosed per the California Financial Privacy Information Act or Gramm-Leach-Bliley Act.
- Medical information gathered by an entity governed by the California Confidentiality of Medical Information Act (CMIA), Health Insurance Portability and Accountability Act or information collated for clinical trials.
- The selling of PI to or from a consumer reporting agency which has to be reported in or employed to produce a consumer report.
- Cooperation with law enforcement agencies or exercising/defending legal claims.
- Efforts to comply with state, federal, or local law.
- A criminal, civil, or regulatory investigation; or a summons or subpoena.
- Data collated, treated, sold, or disclosed in accordance with the Driver’s Privacy Protection Act [DPPA] of 1994.
CCPA may look similar to GDPR, but they are not the same. They have subtle differences including, information required in privacy policies, the entities they cover, prior consent, as well as selling of personal information. If you are a GDPR compliant business, the chances are that you already meet some of the requirements of CCPA. But still, you need to comply with other policies of CCPA to call yourself CCPA compliant.
- The GDPR is applicable to all firms that process data of EU citizens, regardless of their locality or size.
- The CCPA is marginally narrower in its scope. It applies only to California-based businesses which have revenue more than $25 million or those whose primary business is the sale of PI.
- The GDPR is precisely fixated on all data related to the EU consumer/citizen.
- The CCPA considers both the consumer as well as household as identifiable entities whereas, in a few cases, it only considers data given by the consumer as opposed to data obtained or acquired from third-party vendors.
- The GDPR was accepted in April 2016 but became enforceable on May 25, 2018.
- The California Consumers Protection Act goes in effect on January 2020, where it may get more descriptive on the way. At present, CCPA looks like it was formed as a response to the recently publicized cases of personal data misuse.
- Both GDPR and CCPA makes data encryption as an indispensable privacy protection module for businesses.
- Under both the laws, if a company suffers from a data breach, but if it’s in an encrypted form, some of the company’s responsibilities are abridged.
- The GDPR commands stricter penalties for non-compliance or data breach, which can range up to 4% of the business’s annual global turnover or 20 million euros (whichever is greater).
- Under CCPA, fines are applied per violation (penalty of a maximum of $7,500 per violation), is unsealed, and there are deceptively no authorizations for non-compliance.
The scope of PI or personal information under CCPA is broader than GDPR. It includes any information that can identify, relate to, describe, reference, or reasonably link, directly or indirectly, with a specific consumer or household.
The following enumerated categories of consumer information are included as PI:
Name, personal identifier, account name, IP address, mailing address, email address, Social Security number, passport number, and driver’s license number. |
Geo-location data |
Biometric information |
Personal information defined by California’s records destruction law (Cal. Civ. Code § 1798.80(e)), which includes physical characteristics or description, signature, telephone number, education, employment, insurance policy number, financial account information, and employment history |
Individualities of protected classifications in California or federal law |
Commercial data, including personal property, products, or services acquired, considered, or other buying or consuming histories or tendencies |
Internet or electronic network activity, including browsing history, search history, and consumer’s interaction with a website, application, or commercial |
Audio, visual, thermal, electronic, olfactory, or related information |
Professional or employment-related data |
Education information which is not freely available personally identifiable data, as declared in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99) |
Assumptions drew from any of the information mentioned above to create a consumer profile reflecting their characteristics, psychological trends, preferences, predispositions, attitudes, intelligence, behavior, aptitudes, and skills.
I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
The newly revised CCPA provides consumers with new rights, including a right to be forgotten, a right to be transparent about data collection, a right to opt-out, and a right to opt-in for minors. Although the list of rights looks similar to European law, there are significant differences to follow.
- The right to know about their personal information being collected by business: This rule requires firms to be transparent to their consumer about the personal information gathered and its usage.
- The right to appeal the categories of information a business collects upon provable request: This rule grants a right to the consumers to request a disclosure of the categories and certain pieces of PI that a company collects, the source categories from where the data has been received, the business motive for amassing or selling the information, and the categories of third-party vendors with whom the information is shared.
- The right to know the type of personal information collected about consumers: This rule requires businesses to disclose the PI collected about the consumer and the purposes for which it is used.
- The right to express “NO” to the sale of PI: It allows consumers to opt-out of the sale of PI by a business and also prohibits the company from being discriminative against the consumer for exercising their right, such as charging the different price or providing a distinct quality of goods or services to the people who opts out, except if the variance is sensibly related to value offered by the consumer’s data. This rule also prohibits a company from selling the PI of a consumer below 16 years of age, unless positively approved.
- The right to delete the personal information: This rule grants consumers with the right to request deletion of PI. It also forces businesses to delete personal data upon receiving a verified deletion request.
- The right to equal service and price, although the consumers follow privacy rights: This authorizes businesses to propose financial incentives for the collection of PI.
“Leverage our Research-backed CCPA Readiness Solution to Minimize the Risk.”
Have You Prepared Yourself for CCPA?
At Accomplish Data, we have a robust team working around CCPA. You can always email us at rag@accomplishdata.com or call IND: +91 80 41741516 / USA: +1-844-666-9786 for any CCPA related questions subjected to our company.
“We equally share our responsibilities for CCPA Obligations.”