CCPA - California's New Data Privacy Law and What it Means For Your Business
California's new data privacy law, the California Consumer Privacy Act (CCPA), also known as AB-375, was unanimously passed with new guidelines that any company doing business with California consumers and companies must comply with. The law goes into effect in 2020. If a company is found noncompliant, they could be fined anywhere between $100-$750 in damages per exposed individual. If they fail to use reasonable and appropriate safeguards to protect unencrypted or unredacted consumer data that was compromised during data breach events. Companies could face up to $7,500 per violation in civil fines for other CCPA violations.
Key changes under AB 375
The CCPA grants "consumers," defined as California residents, the ability to direct businesses to delete or refrain from selling their personal information under certain circumstances.
Under the CCPA, consumers are granted:
- The right to know about all data collected
- The right to deny the sale of personal information
- The right to delete personal data
- The right to be informed of what categories of data will be collected
- Mandated opt-in to be informed of any changes
- Mandated opt-in before the sale of children’s information (under the age of 16)
- The right to know the types of third parties with whom the data will be shared
- The right to know the how the data was acquired (sources of information)
- The right to know the reason information is being collected
- Enforcement by California’s Attorney General
- The private right of action when companies breach consumer data
The CCPA also details requirements pertaining to consumer requests. Businesses must make two or more designated methods for submitting requests for information, including a toll-free phone number and website. Businesses also must disseminate the requested information to consumers within 45 calendar days, free of charge. Websites must display links that enable customers to opt out of the sale of their personal information.
Additionally, companies will be prohibited from discriminating against consumers who exercise their privacy rights by denying them goods or services, providing a different level of quality of those goods or services, or charging different prices or rates. However, the new law does authorize businesses to offer financial incentives for the collection of personal information, including payments to consumers.
Who is affected by the new law?
Similar to the GDPR's definition of personal data, the CCPA applies to "personal information" that is broadly defined to include IP addresses, browsing history, and even inferences drawn from any of the identified information that creates a profile reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
The CCPA specifies that it will only apply to certain types of businesses that collect and process the personal information of California consumers. The law defines "business" to mean one that is either a sole proprietorship, partnership, LLC, corporation, association or other legal entity organized or operated for the financial benefit of its shareholders or other owners, that (1) collects consumers' personal information, (2) determines the purposes and means of the processing of consumers' personal information, and (3) does business in California. The business must also satisfy one of the following conditions:
- have annual gross revenues in excess of $25 million;
- alone or in combination, annually buy, sell, or receive or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- derive 50 percent or more of annual revenues from selling consumers' personal information.
The CCPA will apply to companies ranging from Google and Facebook to small businesses and startups.
Please note: the law will not apply to protected health information that is already subject to regulation under HIPAA or personal information covered by the Fair Credit Reporting Act.
For a business to not qualify within the scope of the CCPA, the consumer must reside outside of California while their data is being collected and processed, and the collection and processing must take place outside of the state as well.
The Assessment (what questions do you need to ask yourself to prepare for 2020)
- What personal data do we collect/store?
- Have we obtained it fairly? Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
- Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?
- Are we keeping it safe and secure using a level of security appropriate to the risk? For example, will encryption or pseudonymisation be required to protect the personal data we hold? Are we limiting access to ensure it is only being used for its intended purpose?
- Are we collecting or processing any special categories of personal data, such as ‘Sensitive Personal Data’, children’s data, biometric or genetic data etc. and if so, are we meeting the standards to collect, process and store it?
- Are we transferring the personal data outside of California and if so, do we have adequate protections in place?
we'd be happy to work with you on these new compliance requirements! to schedule an appointment with a Blackpoint engineer, fill out the contact form or CALL us (866) 575-9512.
This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
Copyright: <a href='https://www.123rf.com/profile_nirut123rf'>nirut123rf / 123RF Stock Photo</a>