Gartner estimates that, by year-end 2023, 75% of the world’s population will have its personal data covered under modern privacy regulations. The GDPR changed the game in terms of European data protection. Has the California Consumer Privacy Act done the same for California?
The first of its kind in the United States, this landmark law secures new privacy rights for California consumers. But what exactly are the CCPA requirements, and who needs to achieve CCPA compliance? From a consumer side, what changes in terms of California residents personal information? And, from a business side, how can companies protect themselves against a CCPA violation?
Carry on reading for a crash course in all you need to know.
What is CCPA?
The California Consumer Privacy Act (CCPA) was enacted to provide Californians with greater transparency and control over their personal information.
Passed unanimously by Californian residents in 2018, the CCPA passed into California law via a ballot initiative and became effective on January 1, 2020.
The first of its kind in the United States, this landmark law secures new privacy rights for California consumers.
According to the Standardized Regulatory Impact Assessment conducted by Berkeley Economic Advising and Research, LLC, the CCPA regulations will protect more than $12 billion worth of personal information that is used for advertising each year in California.
From a company perspective, this regulation allows enterprises to ensure their data practices promote transparency and protection, also protecting sensitive information against data breaches. Given that 75% of consumers say they won’t purchase from a company they don’t trust with their data (Harris poll for IBM, 2018), the benefits of a redefined data strategy are threefold: regulatory, ethical, and monetary. Put simply, transparent personal data collection will not harm annual revenue.
How does the CCPA give consumers control over their data?
What do we mean when we talk about “CCPA rights”? There are two main ways in which CCPA changes the game for the end user.
The “CCPA request”: Under CCPA legislation, Californian citizens are entitled to demand to see all the personal information, personal data, and consumer data a company has saved on them, as well as a full list of all the third parties the data is shared with. This is known as a CCPA-verifiable consumer request.
The right to sue: In addition, the CCPA allows consumers to sue companies if the privacy guidelines have been breached.
How does the CCPA differ from the General Data Protection Regulation (GDPR)?
You might be thinking, is the CCPA just the American version of the GDPR? Both the GDPR and the CCPA aim to protect and inform consumers and companies about the collection of personal information and consumer data. Both encourage companies to adopt reasonable security procedures for sensitive data, and more general personally identifiable information.
The difference between GDPR and CCPA is that the CCPA’s definition of personal data is extra-personal, meaning that it includes data that is not specific to an individual, but is categorized as household data, whereas the GDPR remains exclusively individual.
The GDPR has six legal grounds for processing personal data in the EU, the CCPA has none for processing personal information in California. This means that businesses can process data on Californians as they please, unless consumers exercise their right to opt out of having their data sold.
The GDPR protects any individual (data subject) whose IP address locates them in the European Union at the time of collection or processing, so the covered businesses are extensive. In comparison, the CCPA only protects individuals that fall under its definition of a particular consumer as being a California resident (i.e. in the state for other than a temporary or transitory purpose).
What personal data is affected by CCPA?
Under the scope of the CCPA “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Therefore, we’re not just talking about personal data such as names and addresses, or other general contact information/online contact details. The CCPA text also refers to:
Credit card numbers
Social security numbers
Income or similar information
Browsing history and search history
Californian unique ID
Unique personal identifier / account name / online identifier
Driver's license number
IP address or other device similar identifiers
Other identifiable information.
Ultimately, the CCPA text left no stone unturned. This (lengthy) list ensures that personal data & customer data, of all types, belong strictly to the consumer.
Not only does this definition of personal data encompass data often collected for marketing and advertising purposes, it also seeks to protect users against data breach. The CCPA purpose is to be all-encompassing.
What are the regulations on personal information?
So, we now know why the CCPA came into being, and what kind of data it concerns. But, what exactly are the CCPA requirements? What constitute reasonable security procedures?
According to California's Office of the Attorney General, to remain CCPA-compliant under California law, businesses must:
Ensure CCPA verifiable consumer requests are effectively executed. Companies should :
Provide consumers with two or more methods for submitting access requests, including at a minimum, a toll-free telephone number, and, if the business has a web site, a website address.
Respond to CCPA verifiable consumer requests within specific time frames.
Maintain records of all CCPA requests for access to data for 24 months, as well as how the business responded.
Verify the identity of consumers who ask to read and delete their information, even if they have a password-protected account with the business.
Ensure data privacy, transparency and the option to opt-in/opt-out. Companies should :
Allow consumers to opt-out, read and delete their personal data from the business’ storage. Companies must provide a “Do Not Sell My Personal Information” link for opt-out requests.
Provide notice to consumers at or before they collect personal data (for example, the CCPA covers cookies).
Disclose financial incentives for retaining or selling the consumer's personal data and how they value that data.
CCPA requirements go beyond the single company level. Suppose a business collects personal data and shares it with other companies. In that case, the company must also prove it has taken appropriate measures to continue to protect the data once it's in the partners hands. The web of data access and the responsibility of ownership of that data are extensive, complex, and dynamic.
These are the boxes companies must tick for CCPA certification and data protection. But, how does this translate into consumer CCPA rights?
If companies respect the CCPA requirements outlined above, users will thus be able to enjoy certain benefits:
The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.
California consumers aren’t waiting to take action. 85% of consumers believe businesses should be doing more to actively protect their data (Harris poll for IBM, 2018).
It’s therefore unsurprising that consumer class action lawsuits are already working their way through the court system. Their outcomes remain to be seen, but the potential litigation is proving a point: companies aren't going to get away with CCPA violations, at least not without a reputational and monetary cost.
Some see CCPA and other data regulation compliance as a burden. But, with 91% of consumers preferring to buy from a company that always guarantees them access to their information (Data Privacy Feedback Loop 2020), it’s clear that the benefits work both ways.
Put simply, there is regulatory necessity, but also a business value in placing business subjects in the driving seat of their data.
Who is required to comply?
We’re here to answer the question on everyone’s lips : “Do I have to comply with the CCPA?”.
Every company should be working to value consumer data rights, from both a reputational and ethical standpoint. However, not every company is in fact required to comply with the CCPA.
If one (or more than one) of the following is true, your business will require CCPA certification:
You earn 50% or more of your revenue from selling consumers’ personal information
You are a for profit business making at least $25 million gross annual revenue
You hold more than 50,000 users’ or devices’ data
Businesses that are exempt from the CCPA include:
Financial companies covered by Gramm-Leach-Bliley
Credit reporting agencies under the Fair Credit Reporting Act
Health providers and insurers already under HIPAA
Those are the rules. However, with 93% of consumers reporting that they would switch to a company that prioritizes consumer data privacy (Data Privacy Feedback Loop 2020), there’s a clear reputational, ethical (and financial) incentive for every company to get on board.
What are the risks of CCPA non-compliance?
Privacy is about more than just CCPA compliance, it's about consumer rights in California. It’s about giving people more control over their data.
However, whilst the purpose of CCPA is so much more than just CCPA compliance, it’s worth mentioning that the sanctions for CCPA violations can be severe.
Penalties for CCPA violations:
Civil penalties start at $2,500 per violation for non-compliance that is deemed unintentional. For intentional non-compliance, those fines jump to as much as $7,500 per CCPA violation.
Companies may also be subject to civil litigation from those affected, as consumers have the right to sue businesses that have violated their CCPA rights.
Are There Cookie Consent Requirements in This New Privacy Law?
Cookies. The hot topic. Some are termed “technical cookies” and are essential for a website to run. Others are used for marketing purposes, to make the user's web experience faster, convenient and personalized.
What is the CCPA’s stance on cookies? The fundamental CCPA purpose is for companies to be more transparent in how they collect and use consumer data.
Furthermore, you must let them know in a way that is intuitive, accessible and easy to understand (not hidden in the depths of a 30 page terms and conditions document or on a legal page which is notoriously difficult to find).
Importantly, visitors need to be informed about cookie policies before their information is collected. This is what has led to the rise of cookie banners and consent notices that pop up on many websites.
Is There an Easy Way to Comply with CCPA?
We’re coming to the end of our CCPA crash course. But, we’re now reaching the most important part.
It’s all very well knowing the CCPA requirements, but how can companies implement these in an effective and fool-proof manner at every point of data collection and data classification? How can organizations’ data be managed effectively, without affecting annual gross revenue?
CCPA compliance should not be a matter of guesswork. At least certainly not if you want to avoid data breach and government records. Is there an easy way to comply with the CCPA? Yes. This is when Didomi steps in.
Didomi allows companies to show exemplary compliance and reduce legal risk by collecting consent across every touchpoint. It’s about building a reputation as an exemplary organization & never being associated with rogue data practices.
Our consent and preference management technology allows companies to comply with CCPA regulation, allowing them to:
Build real-time, customer-friendly interfaces to inform their users about the data collected, and allowing them to personalize their consent choices and preferences;
Effectively collect, store, manage and provide proof of user consent across digital assets and physical data collection points;
Prove the robustness of their data practices to users and regulators thanks to a clear data inventory that allows for CCPA consumer requests.
97% of companies have seen benefits like a competitive advantage or investor appeal from investing in privacy (Cisco 2019 Consumer Privacy Survey).
Ensure CCPA cookies and CCPA third-party compliance with a bespoke Didomi consent notice. A commercial Consent Management Platform will ensure compliance in an ever changing ecosystem, without sacrificing on performance or data visualization.
It is imperative that organizations understand the implications of cookies and respect consent, paying particular attention to how they collect, store and deploy personal data through their web trackers and mobile apps.
It’s not a question of no longer collecting data. It’s a question of collecting data in a way that ensures consumer data rights and builds user trust.
And, with 88% of consumers saying that the extent of their willingness to share personal information is based on how much they trust a company (PwC Protect.me Survey, 2017), the commercial benefit of optimal consent management technology should not be underestimated.
Contact Didomi for any CCPA compliance queries, or for more information on our solutions. We’ll ensure you achieve CCPA compliance.