CCPA – What is the California Consumer Privacy Act?
Online consumer privacy is an ever-growing concern. Every time a consumer accesses a website, the company collects personal data on them. But what is personal data? Personal data is considered anything that differentiates one user from another. This can be as in-depth as a social security number or as vague as a user’s age range. With sites collecting massive amounts of this personal data about users, many have grown to question why this data is being collected, who has access to it, and how it’s being used. As people become more vocal about their online privacy concerns, governments have begun stepping in, creating laws and regulations to control the collection and use of consumer information.
One of the newest pieces of legislation is the California Consumer Privacy Act, known as the CCPA. This act applies only to residents of California and was created as a way for California residents to limit the amount and type of information businesses can collect.
CCPA was signed into law on June 28th, 2018, and went into effect on January 1st, 2020. On June 1st, 2020, the final proposed regulation package was submitted to the California Office of Administrative Law. Once the CCPA was approved by the OAL, it became a law and, therefore, enforceable, as of July 1st, 2020. Since it’s an enforceable law, businesses and websites now face consequences for noncompliance.
Who Must Comply With the CCPA?
Businesses that do business in California, regardless of their location in the world, should be concerned with whether they must comply with CCPA. For businesses that serve California residents, are three main criteria when it comes to who must comply with CCPA regulations. To fall under the CCPA, a business must have at least $25 million in revenue annually or hold the data of 50,000 or more people, households, or devices, or earn more than half of its annual revenue by selling personal data. Only one of these requirements must be met for a company to fall under the CCPA.
Companies that CCPA doesn’t apply to are insurance institutions, agents, and support organizations. But that doesn’t mean they can do whatever they please with Californian’s data. There is already a regulation, called the IIPPA, which is very similar to CCPA regulations, which applies to insurance institutions and the like. CCPA also doesn’t apply to nonprofit organizations, even if they meet one of the three criteria above.
What Are the CCPA Requirements?
For companies who must comply with CCPA, there are quite a few requirements that they must be sure they adhere to. The CCPA is a consumer-centric regulation, so every requirement relates to the ability of consumers to limit and be informed about their data collection, storage, and usage. The following are the most important requirements for CCPA compliance.
Right to Notice
If a company plans to collect personal data, it must explicitly state their intentions in a way that alerts the consumer upon accessing the site. Most sites will use a notification popup that requires the consumers to manually accept these permissions.
Right to Request
The CCPA states that consumers have the right to request a specific breakdown of the personal information that has been collected. Companies must provide this data, either by mail or online, in a way that is easy to access and read.
Right to Know
California residents have the right to know exactly how and why their data was collected. Companies must disclose the categories of data collected, the sources used to collect the information, the purpose of collecting or selling the information, which third parties the information will be shared with, and the specific pieces of information that were collected.
Right to Opt-Out
Companies must provide a link titled “Do Not Sell My Personal Information” that leads to an easy-to-submit form that consumers can fill out to opt-out of personal data sales. Once a customer has opted out of selling their information, a company must wait a minimum of one year before requesting their information again.
Right to Delete
Consumers have the right to submit a request to have their personal information deleted from a specific company’s databases. If a customer submits such a request, the company must also contact any companies they have shared the customer’s data with and request that they delete it, as well.
Right to Notification of Financial Incentive
Some companies may offer certain incentives to consumers who approve the use of their personal data. If a company offers these incentives, monetary or otherwise, it must disclose that incentive with its customers. Consumers must give explicit consent to opt-in to a company’s incentive program.
Right to Not Be Discriminated Against
Since there is an advantage to companies being able to collect and use personal data, they want as many customers as possible to approve the use of their information. However, many people will choose not to share their data. The CCPA ensures that customers who opt-out of personal data sharing won’t pay more, be given lower quality products or service, or be enticed with lower prices if they share their data.
GDPR vs. CCPA
General Data Protection Regulations, or GDPR, is a vast set of rules that allows EU citizens to have more control over how their personal data is used. While this sounds very close to CCPA, the two differ in many ways.
GDPR and CCPA apply to different entities. GDPR applies to data controllers and data processors, while CCPA applies to for-profit businesses that service California residents and meet one of the requirements listed above. This means GDPR is much broader, both in the citizens it protects and the organizations it applies to.
Both the CCPA and GDPR have the same basic definition of what constitutes personal data. While the GDPR says any “identifiable data” and the CCPA says “information that identifies…a particular consumer or household,” both of these definitions mean any data that can identify one person from another. The only difference is that the CCPA also protects households and specific devices, not just individual consumers.
When looking at the rights granted by both the GDPR and CCPA, some parts are very similar and others are vastly different. The right to access, right to deletion, right to nondiscrimination, and the right to request are all very similar. Both regulations do nearly that same thing to protect citizens in these regards. However, GDPR includes many rights, such as the right to rectification, the right to restrict processing, and the right to object to processing, that CCPA doesn’t include. Though GDPR may contain some protections that CCPA does not, both the GDPR and CCPA take important steps to protect citizens and consumers online.
How is CCPA Enforced?
As of Wednesday, July 1st, 2020, CCPA is enforceable by law. But what are the consequences of being non-compliant with CCPA? So far, the CCPA makes clear that when it comes to noncompliance penalties, fines will be issued to companies and damages can be awarded to consumers when CCPA regulations aren’t followed.
The civil penalty for companies who fail to comply with CCPA is up to $7,500 per incident. When you consider the massive number of people the average company has information on, these fines could add up to a substantially large amount. While $7,500 is the maximum, most violations will result in smaller fines. However, if a violation is considered intentional, meaning the company didn’t take any proper steps to comply with CCPA, fines will likely be larger than for companies who violate CCPA unintentionally.
For damages to be paid to consumers, a lawsuit must first be filed and the attorney general must be involved. When damages are awarded, the amount can be anywhere from $100 to $750 per consumer per incident. Such damages will most likely only be paid in the event of gross negligence by the company that leads to consumers incurring a substantial loss, such as identity theft or a personal data breach.
How CCPA Impacts Your Business
Depending on the type of business you have, there are a few different ways that your business will be impacted. The act becoming CCPA compliant, having limited data on consumers, and the inability to sell personal data are just a few of the major changes that CCPA will bring about for many businesses.
Not only will businesses have to carefully craft CCPA sections on their websites, but they will also need to be updated every year. Having CCPA information on a website is something that will need to be done carefully to be sure it meets all legal requirements. For some smaller businesses, the cost of becoming CCPA compliant could be significant.
Since California residents will have the option to opt-out, limit, and delete collected personal data, businesses may find that they don’t have a lot of the useful consumer data they used to have. This will impact a business’s ability to create an effective marketing strategy and predict consumer trends, especially in California.
For businesses that rely on selling data, impacts from CCPA will be more severe. Not only will these businesses collect less data than usual, but data may also be skewed since many California residents may opt-out of data collection. Since CCPA is limited to California, this impact shouldn’t be a devastating one. But if more states adopt regulations like the CCPA, businesses that sell data may be gravely impacted.
Which Companies Does the CCPA Affect?
When GDPR was introduced, companies that did business in the EU scrambled to craft permissions that would keep them compliant with the regulations. Since this only applied to businesses that operated internationally, many businesses that only do business in the US were able to avoid the headache that these regulations caused. But now, with CCPA, many larger businesses that operate in the US will have to navigate becoming CCPA compliant.
As stated earlier, CCPA affects any for-profit company that provides goods or services to California residents and meets any one of the following three requirements:
Companies that check any of these boxes must have CCPA permissions prevalently available on their website.
What the CCPA Means for Marketers
As the popularity of the internet rose, the way we market completely changed. Collecting data, from locations to age groups and everything in between has created a way to market much more effectively than ever before. Marketers can predict which products specific consumers will be interested in, craft ads that will attract certain consumers, and target specific consumers to ensure a higher rate of return on marketing campaigns. But with CCPA regulations, marketers may not be able to collect as much of this valuable data.
As more California citizens opt-out of personal data collection, marketers may be taking shots in the dark when crafting ads and campaigns to target CA residents. Marketing strategies, specifically for California residents, may be less effective than they have been in the past. However, since every consumer isn’t automatically opted out, and many consumers will agree to opt into personal data collection, marketers will still have a large amount of valuable consumer data to rely on when crafting their marketing strategy.
CCPA, the Bottom Line
Now that you’ve brushed up on the ins and outs of the CCPA, it’s time to see if you fall under the scope of CCPA. If so, the time is now to become CCPA compliant. Though regulations like the CCPA may be a hassle for businesses, it’s important to understand that having consumers who trust your company is invaluable. By becoming CCPA compliant and taking the necessary steps to protect customers, they will feel more at ease while conducting business and thus more likely to make purchases from your CCPA compliant business.