Data has become a power source for businesses to create more targeted campaigns, generate more leads, and show ads to users.
But, businesses may sometimes use the wrong means to get users’ information.
A similar incident happened when the political consulting firm Cambridge Analytica unethically collected data of over 87 million Facebook profiles. They used this information to create targeted campaigns during the 2016 US Presidential election.
It reflects that users’ data and their privacy can easily be compromised.
But, the California Consumer Privacy Right will change that. It's a data privacy law that gives consumers rights and control over their personal information.
So, what are those rights, and how will they impact business operations?
This guide will answer these questions.
Table of contents
What is CCPA?
The California Consumer Privacy Act (CCPA) is a state regulation passed to strengthen California consumers’ privacy rights and give them more control over their personal information (PI) collected by businesses. It aims to reduce data breaches by regulating businesses and refining data transparency.
The act went into effect on January 1, 2020, applying to a wide range of businesses obligating them to comply with the CCPA regulations.
Enforcing body of CCPA: The California Attorney General and private litigants are the governing body of CCPA. They have the right to impose fines if any business fails to comply with the CPPA regulation.
History of CCPA
The CCPA began as a ballot initiative in November 2017 by Alastair Mactaggart, a real estate developer and investor. He is also the founder of Californians for Consumer Privacy (CCP), which sponsored CCPA.
Around 629,000 Californians signed, making it qualified for the November 2018 ballot. The legislators enforced CCPA on January 1, 2020, making it the US's first state privacy protection law.
CCPA timeline
Who needs to comply with CCPA?
CCPA applies to any business that meets the following criteria:
Generating a gross annual revenue of more than $25 million;
Buy, receive, or sell the personal data of 50,000 or more California’s residents, households, or devices;
Derive 50% or more of their annual revenue from selling PI of California residents.
The CCPA also applies to any entity that:
controls, or is controlled by, a business that meets the above criteria, and
shares common branding with that business.
isn’t physically located in California but conduct their business there.
Note: The CCPA does not apply to nonprofit organizations or government agencies.
What rights were given to consumers under CCPA?
CCPA gives the following five rights to the citizens:
1. The right to know and access data
It gives the citizens the right to request businesses to disclose what personal information they have collected, used, shared, or sold about them.
Businesses will need to disclose all this information for the 12 months preceding the consumer’s request. After that, they must provide this information to you free of charge.
2. The right to delete personal information
Consumers can request businesses to delete the personal data they collected from you and ask any third party to do it.
But, some exceptions allow businesses to keep their PI, including if the information is required to complete a transaction or provide a good or service.
Businesses must respond to your request within 45 calendar days. However, they can extend that deadline by another 45 days (90 days total) if they notify you.
3. The right to opt-out of the sale of PI
Consumers have the right to opt-out of the sale of their PI by the businesses. To give users access an option to opt-out, businesses must do the following:
- Include a clear hyperlink entitled “Do not sell my personal information” on their websites
- Add a toll-free number and website address.
Businesses must wait at least 12 months before asking you to opt back into selling your PI.
4. The right to non-discrimination
Businesses aren’t allowed to discriminate against users who exercise their CCPA rights. Therefore, they cannot do the following:
Refuse to offer goods or services.
Charge you a different price.
Provide a different level or quality of goods or services.
But, this right doesn’t prohibit businesses from charging different prices or selling different quality products if that difference is reasonably related to your non-disclosure or sharing of PI.
5. The right to opt-in for the sale of PI of minors
The right states that a business cannot sell the PI of users below 13 years without the affirmative opt-in consent by their parents or guardians.
If the consumer is between 13 and 16, they can provide the necessary opt-in consent to the business.
What happens if businesses don’t comply with CCPA?
Suppose a business fails to cure any alleged violation within 30 days after being notified. In that case, the
Attorney general can charge a penalty of up to $2,500 for each violation and $7,500 for each unintentional violation.
In case of consumer’s data theft or other data security breaches, the companies will be liable for the following actions:
Recover damages between $100 - $750 per consumer per incident or actual damages, whichever is greater.
Injunctive or declaratory relief.
Any other relief the court deems proper.
CCPA gives importance to users’ personal information and if you are not aware of that, you might violate the CCPA regulations. So, read on to know what exactly is covered under PI.
What constitutes personal information under CCPA?
CCPA defined personal information as:
Any information that identifies, relates to, describes, is reasonably capable of being associated with, or directly or indirectly, with a particular consumer or household.
Personal information under CCPA includes, but is not limited to, the following:
Real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
Commercial information includes personal property, products or services purchased, obtained, considered, or other purchasing or consuming histories or tendencies.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
Biometric information.
Geolocation.
Audio, electronic, visual, thermal, olfactory, or similar information.
Professional or employment-related information.
Education information as defined in the Family Educational Rights and Privacy Act.
Any information mentioned above may be used to create a consumer profile reflecting their preferences, characteristics, psychological traits, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Personal information does not include the following:
Any publicly available information means any information that is lawfully made available from federal, state, or local government records. It also does not mean biometric information collected by a business without the consumer’s knowledge.
Any information that is de-identified or aggregate consumer information.
What actions a business needs to take to be CCPA compliant?
If your business falls under the CCPA compliance, then you should take the following actions:
• Create a user’s data inventory
You must have a data inventory or entire database of all the user’s personal information. It can have the following information:
Ways you use to get personal information.
Types of personal information you collect and share.
Purposes for collecting the information.
Parties with which you share it and why.
Information retention period.
Current data disposal practices.
• Create a database of all the vendors and other third parties
Identify all the vendors and third parties with which you share users' personal information.
Review the existing contracts with those parties for compliance with existing and future laws.
• Run tests to assess your company’s preparedness
You can run tests on your ability to address consumers’ requests, such as accessing or deleting their PI.
You can ask yourself questions like:
Can you verify the validity of their request?
Can you find the relevant personal information?
Remove all the personal information from your systems, or establish a legal basis for retention?
Honor a “Do not sell” request, and follow the downstream notices and associated responses to consumers the regulations propose.
• Prepare a notice at the collection for the consumers.
Businesses must provide a notice at collection to consumers concerning the use of their PI. The notice at collection must have the following information:
Categories of personal information to be collected.
The purposes for which the personal information will be used.
A link titled “Do not sell my personal information” or “Do not sell my info."
Link to business’s privacy policies.
• Update your company’s online privacy policy
The CCPA has added new essential elements that a business must include in its privacy policy. So, businesses must update all the proposed changes, which are as follows:
A description of consumers’ rights is given under the CCPA.
A description of the categories of PI collected and the purpose for collection in the preceding 12 months.
The categories of third parties with which it shares personal information.
A link titled “Do not sell my personal information” on your business website.
A description of any financial incentives given to consumers for providing data or not exercising their rights. For example, if the company offers a 15% discount to individuals who provide their email addresses for marketing purposes, this incentive must be disclosed in the privacy policy.
Way forward
The CCPA highlights the importance and need of protecting consumers’ privacy and giving them more control over their personal information used by businesses. CCPA is the most significant development in the US and has inspired many states to pass their own data privacy legislation.
For instance, Nevada enacted Senate Bill 220 (SB-220), which amends the state’s existing online privacy laws, and went into effect on October 1, 2019.”
“Massachusetts currently has pending in its legislature a CCPA-like bill, ‘An Act Relative to Consumer Data Privacy’, which would create a comprehensive consumer privacy regime in the Bay State.
Besides such worldwide impact, CCPA still is not a perfect law and requires many amendments. So, the architect of CCPA, Alastair Mactaggart, began collecting signatures for a new 2020 ballot initiative, called the California Privacy Rights Act (CPRA), to fill the gaps in CCPA and create a more inclusive privacy act that gives users broader control over their data.
