If you’re a US business owner, you may have heard of the California Consumer Privacy Act 2018 (CCPA).
Developed to protect the personal data of the Golden State’s consumers as well as its residents, this stringent set of rules and regulations affect businesses across industries and sectors.
In the digital age, compliance is key, particularly when it comes to the collection and handling of consumer data. But while data protection compliance is compulsory, that doesn’t make it any less daunting.
To help you navigate your way through the California Consumer Privacy Act, we’ve put together an introduction to CCPA compliance.
Does the CCPA Apply to My Business?
Sector, niche, or industry aside, if you run an organization that either conducts business in the State of California or collects the data of Californian consumers, then the CCPA most likely applies to you.
It’s also important to understand that even if you don’t deal with Californian consumers in a direct sense, you could work with third-party suppliers that do.
Conversely, you could be a third-party supplier that is affiliated with a brand or business that deals with consumers living within California.
With this in mind, you should examine your business’s entire ecosystem with a fine tooth comb to check whether you are connected to the data of Californian consumers in any way.
Naturally, if you are, you will need to understand how the CCPA applies to you.
The CCPA: What You Need to Know
At its core, the CCPA provides augmented consumer protection to California’s almost 40 million residents. The Act offers those living, working, and consuming in California additional rights surrounding the use and collection of their personal data.
As a business owner, here’s what you need to know from the outset:
- All businesses must disclose, in full, all consumer data that is shared or sold for commercial purposes. Moreover, businesses across sectors have a duty to inform consumers when they intend to collect their personal data, explaining the nature of its use.
- The Act dictates that businesses must not discriminate against, nor penalize, any consumer that actively uses their CCPA rights. This covers quality of service, pricing, monetary transactions, and more.
- All businesses must give consumers full access to their personal data.
- Upon request, it’s compulsory that businesses delete all traces of a consumer’s personal data. If you’ve shared your consumers’ data with a third party, you must also ensure that they expunge the data from their internal database.
- It’s a requirement that all businesses offer their consumers the power to opt out of the sale of their personal data at any given time. The Act states that businesses should make it easy for consumers to opt out should they wish to do so (for instance, offering navigable opt-out forms or links via your website).
Since the inception of the California Consumer Privacy Act, droves of business owners have been asking the question: Is the CCPA similar to the European GDPR? Not an unreasonable query given the data-driven nature of both documents.
While both the CCPA and GDPR are designed to regulate the privacy of consumer data, there is one striking difference that separates the two initiatives.
At its core, the GDPR is based on a set of laws that provide a ‘privacy by default’ framework, covering the whole of the EU.
In contrast, the CCPA focuses on empowering California’s consumers with the autonomy to take charge of their personal data in an ever-growing digital economy.
While the GDPR offers a preset wall of fortification to protect the data of EU citizens, the CCPA allows Californian consumers to interact with their data and drill down into how it’s really being used, on their terms.
To understand the key differences between the two Acts in greater detail, here’s a CCPA vs. GDPR comparison guide for your reference.
Personal Data as Defined by the CCPA
Establishing what personal data actually is or what it means can prove confusing for business owners. Consumer data protection is often a minefield when it comes to compliance, so knowing how personal data is defined is vital.
To put personal data into context, here’s an official definition according to 1798.140(o)(1) of the Act:
“…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Under the umbrella of personal data, the bill states that this type of sensitive consumer information covers (but is not exclusive to) the key following areas:
- Name, address, and telephone number
- Passport number
- Driver’s license number and social security number
- Biometric as well as visual, thermal, or audio-based data
- Web browsing activity and geolocation data
It’s clear that in CCPA terms, personal consumer data applies to almost any strand of information or any form of digital footprint imaginable.
To remain compliant and distance yourself from any potential discrepancies, the best mindset you can adopt as a business is a ‘what’s not personal data’ mentality.
Treat every customer interaction with the utmost sensitivity and you’re likely to stay on the correct side of data privacy legislation at all times.
Enforcement: An Overview
The CCPA was officially launched on 1 January, 2020. But while the act is currently in operation, official enforcement will not take effect for around six months—offering businesses a compliance grace period.
While there is time to make critical changes and formulate sustainable CCPA strategies, six months is a relatively short time frame, so immediate action is recommended if you want to avoid any unexpected penalties.
If you do breach the CCPA intentionally, the attorney general will enforce the maximum civil penalty of $7,500 per misdemeanor. If you should break CCPA regulation unintentionally in any way, you will be subject to a fine of $2,500. That said, If you continue to breach CCPA law, you could find yourself in hot financial water.
While at this point, it’s difficult to outline the exact definition of a breach or misdemeanor in terms of size, it’s fair to assume that the attorney general will enforce the maximum penalty of $7,500 for a serious break or bend in the rules.
Concerning enforcement, it’s also worth noting the Act’s 30-day enforcement grace period. A rule is that when the attorney general serves an organization with a violation notice, they will offer a 30-day grace period to fix the breach or misdemeanor and avoid a penalty.
While this 30-day period offers businesses an organizational olive branch, if you fail to fix the issue (or issues) within the allotted time, one could argue that your violation is intentional and, as such, carry a maximum penalty.
If you are offered 30 days to fix a data protection problem and avoid any form of costly CCPA fine, then having a compliance issue resolution processes in place will help ensure that you find a solution, with due diligence, by the allotted deadline.
Last but certainly not least, CCPA enforcement extends beyond the attorney general or government officials, into the hands of the consumer.
The CCPA bestows consumers in California with the right to launch a lawsuit if a data breach should occur. A consumer action issue is usually linked to statutory damages that carry a penalty of between $100 and $750 per consumer, per incident. It’s an aspect of data breach resolution that you should consider when formulating your CCPA strategy.
CCPA: Final Thoughts
CCPA compliance is enough to make your head spin, but to ensure that your business is water-tight and protected against any potential potential legislation breaches, you must act now.
The CCPA, while consumer-facing, will have a direct impact on every aspect of your organization. If any personal, department, or external partner is in breach of CCPA regulation, it could prove detrimental to the success and well-being of your business.
As such, taking a pain-staking, panoramic approach to your CCPA-centric initiatives is the best way forward. One small misdemeanor from even the smallest wheel in the organizational cog could cause a data protection-driven domino effect, so with every stage of your CCPA compliance journey, check and check again. You will regret it if you don’t.
Use this guide for reference, examine every aspect of the CCPA in great detail, develop a working strategy in collaboration with your company’s senior executives, and CCPA compliance success will be yours for the taking.
To help you get started with your CCPA strategy, here’s the full California Consumer Privacy Act website for your reading pleasure. Best of luck.