If your business handles customer data, you’re probably aware of the California Consumer Privacy Act (CCPA), which was signed into law in 2018 and goes into effect in January 2020. The CCPA intends to provide consumers with greater privacy and control over how their personal information is used by companies. How might the CCPA affect your business and what should you do to prepare?*
What does the CCPA do?
The CCPA protects the privacy of California residents by providing them with rights with regards to their personal information. Personal information refers to any data that identifies or could be linked to individuals or households. This includes names, addresses, IP addresses, emails, social security numbers, driver’s license numbers, and medical or financial information.
The CCPA gives individuals numerous rights when it comes to their data, including:
- The right to access any personal data that has been collected about them
- The right to know what data has been collected
- The right to know if personal data has been sold and, if so, to what entity
- The right to refuse to sell their data
- The right to request that a business deletes any collected personal data
- The right to not be discriminated against if one chooses to protect their data
Who needs to comply with the CCPA?
Any business that collects consumer data and does business in California must comply with the CCPA, as long as it also meets at least one of the following qualifications:
- Annual gross revenue exceeds $25 million
- Collects (or shares or sells) the personal information of over 50,000 consumers or households
- The sale of consumers’ personal data accounts for over half of its annual revenue
Companies must “implement and maintain reasonable security procedures” when it comes to protecting consumer information. These procedures include updated privacy policies containing information about the rights of California residents and homepage links where users can opt out of selling their information. Companies also need to create ways for users to request access to data and wait at least one year for requesting a user to opt-in after they have already opted out. Parental consent of data collection and usage must also be acquired for children under 13 years old.
How does the CCPA compare to the GDPR?
Some people refer to the CCPA as California’s version of the E.U.’s General Data Protection Regulation (GDPR), which went into effect in 2018, but in fact, the two laws are quite different. The GDPR is a consumer privacy law for citizens of the European Union. Like the CCPA, it provides consumers with the right to access and/or delete their personal data and requires that business be transparent about information usage.
However, in many ways, the GDPR goes far beyond the scope of the CCPA. For example, the GDPR requires businesses to have a “legal basis” for collecting and using personal data. It also requires that businesses conduct assessments and name a data protection officer. E.U. citizens are also given the right to have more control over their personal information, such as the “right to be forgotten“.
The two regulations differ in many ways, from the fines levied against non-compliant businesses to the very definitions of personal information.
What does this mean for your business?
If your business collects personal information about California residents, make sure you get CCPA compliant quick. There are a plethora of compliance software and services that can help you. If you don’t do business with anyone in California, you’re safe for now. But it’s important to remember that privacy issues aren’t going away – they’re only going to keep increasing. If you’re lucky enough to not be affected by CCPA, it’s likely you’ll be affected by a different law, whether state or federal, at some point in the future. It’s smart to start preparing now. Save yourself future headaches and keep your business practices focused on best practices relating to data, security, and user access requests. Another great way to keep your business focused on security? Schedule regular paper and data destruction with DataSafe!
*Please note: We’re experts in data and document destruction, not the law. This information should not replace legal advice, nor does it guarantee GDPR or CCPA compliance. If your website needs full compliance, please consult with a lawyer.