Data has become a power source for businesses to create more targeted campaigns, generate more leads, and show relevant ads to users.
But, businesses may sometimes use the wrong means to get users’ information.
A similar incident happened when the political consulting firm Cambridge Analytica unethically collected data of over 87 million Facebook profiles. They used this information to create targeted campaigns during the 2016 US Presidential election.
It reflects that users' data and their privacy can easily be compromised.
But, the California Consumer Privacy Right is going to change that. It gives users more rights and control over their personal information.
So, what are those rights and how will they impact business operations?
This guide will answer these questions.
The California Consumer Privacy Act (CCPA) is a state regulation passed to strengthen California residents’ privacy rights and give them more control over their personal information (PI) collected by businesses.
The act went into effect on January 1, 2020, applying to a wide range of businesses obligating them to comply with the CCPA regulations.
Enforcing body of CCPA: The Attorney General for the State of California and private litigants are the governing body of CCPA. They have the right to impose fines if any business fails to comply with the CPPA regulation.
The CCPA began as a ballot initiative in November 2017 by Alastair Mactaggart, a real estate developer, and investor. He is also the founder of Californians for Consumer Privacy (CCP), which sponsored CCPA.
Around 629,000 Californians signed, making it qualified for the November 2018 ballot. The legislators enforced CCPA on January 1, 2020, making it the first state privacy protection law in the US.
CCPA applies to any business that meets the following criteria:
Generating a gross annual revenue of more than $25 million;
Buy, receive, or sell the personal information of 50,000 or more California’s residents, households, or devices;
Derive 50% or more of their annual revenue from selling PI of California residents.
The CCPA also applies to any entity that:
controls, or is controlled by, a business that meets the above criteria, and
shares common branding with that business.
isn't physically located in California but conduct their business there.
Note - The CCPA does not apply to nonprofit organizations or government agencies.
CCPA gives the following four rights to the citizens:
It gives the citizens the right to request businesses to disclose what personal information they have collected, used, shared, or sold about them.
Businesses will need to disclose all this information for the 12 months preceding the consumer’s request. After that, they must provide this information to you free of charge.
Consumers can request businesses to delete the personal information they collected from you and ask any third party to do it.
But, some exceptions allow businesses to keep their PI, including if the information is required to complete a transaction or provide a good or service.
Businesses must respond to your request within 45 calendar days. However, they can extend that deadline by another 45 days (90 days total) if they notify you.
Consumers have the right to opt-out of the sale of their PI by the businesses. To give users access an option to opt-out, businesses must do the following:
Include a clear hyperlink entitled “Do not sell my Personal information” on their websites
Add a toll-free number and website address.
Businesses must wait at least 12 months before asking you to opt back into selling your PI.
Businesses aren’t allowed to discriminate against users who exercise their CCPA rights. Therefore, they cannot do the following:
Refuse to offer goods or services.
Charge you a different price.
Provide a different level or quality of goods or services.
But, this right doesn’t prohibit businesses from charging different prices or selling different quality products if that difference is reasonably related to your non-disclosure or sharing of PI.
The right states that a business cannot sell the PI of users below 13 years without the affirmative opt-in consent by their parents or guardians.
If the consumer is between 13 and 16, they can provide the necessary opt-in consent to the business.
Suppose a business fails to cure any alleged violation within 30 days after being notified. In that case, the Attorney general can charge a penalty of up to $2,500 for each violation and $7,500 for each unintentional violation.
In case of consumer’s data theft or other data security breaches, the companies will be liable for the following actions:
Recover damages between $100 - $750 per consumer per incident or actual damages, whichever is greater.
Injunctive or declaratory relief.
Any other relief the court deems proper.
CCPA gives importance to users’ personal information and if you are not aware of that then chances are you might violate the CCPA regulations. So, read on to know what exactly is covered under PI.
CCPA defined Personal information as - Any information that identifies relates to, describes, is reasonably capable of being associated with, or directly or indirectly, with a particular consumer or household.
Personal information includes, but is not limited to, the following:
Real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
Commercial information includes personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
Audio, electronic, visual, thermal, olfactory, or similar information.
Professional or employment-related information.
Education information as defined in the Family Educational Rights and Privacy Act.
Any information mentioned above may be used to create a consumer profile reflecting their preferences, characteristics, psychological traits, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Personal information does not include the following:
Any publicly available information means any information that is lawfully made available from federal, state, or local government records. It also does not mean biometric information collected by a business without the consumer’s knowledge.
Any information that is de-identified or aggregate consumer information.
If your business falls under the CCPA compliance, then you should take the following actions:
You must have a data inventory or entire database of all the user’s personal information. It can have the following information:
Ways you use to get personal information
Types of personal information you collect and share
Purposes for collecting the information
Parties with which you share it and why
Information retention period
Current data disposal practices.
Identify all the vendors, third-parties with which you share user’s personal information
Review the existing contracts with those parties for compliance with existing and future laws.
You can run tests on your ability to address consumers’ requests, such as accessing or deleting their PI.
You can ask yourself questions like:
Can you verify the validity of their request?
Can you find the relevant personal information?
Remove all the personal information from your systems, or establish a legal basis for retention?
Honor a “Do not sell” request, and follow the downstream notices and associated responses to consumers the regulations propose
Businesses must provide a notice at collection to consumers concerning the use of their PI. The notice at collection must have the following information:
Categories of personal information to be collected
The purposes for which the personal information will be used.
A link titled “Do not sell my personal information” or “Do not sell my info."
A description of consumers’ rights is given under the CCPA.
A description of the categories of PI collected and the purpose for collection in the preceding 12 months.
The categories of third parties with which it shares personal information.
A link titled “Do not sell my personal information” on your business website
The CCPA highlights the importance and need of protecting consumers’ privacy and giving them more control over their personal information used by businesses. CCPA is the most significant development in the US and has inspired many states to pass their own data privacy legislation.
For instance, Nevada enacted Senate Bill 220 (SB-220), which amends the state’s existing online privacy law, and went into effect on October 1, 2019.”
“Massachusetts currently has pending in its legislature a CCPA-like bill, ‘An Act Relative to Consumer Data Privacy’, which would create a comprehensive consumer privacy regime in the Bay State.
Besides such worldwide impact, CCPA still is not a perfect law and requires many amendments. So, the architect of CCPA, Alastair Mactaggart, began collecting signatures for a new 2020 ballot initiative, called the California Privacy Rights Act (CPRA), to fill the gaps in CCPA and create a more inclusive privacy act that gives users broader control over their data.