The Ultimate Guide to California Consumer Privacy Act [CCPA]
Trust is key in building strong business-consumer relationships, especially when dealing with online purchases of goods and services. People need to know that their information, from personal data to financial details, can be secured.
In light of recent data exploitation scandals, such as the leak of over 540 million Facebook records, customers are actively looking for privacy protection and data security from online firms and websites.
The California Consumer Privacy Act (CCPA) is a vital part of the state’s evolving response to the issue.
A recent Pew Research Center study found that many Americans lack trust in key institutions, specifically when it comes to protecting their data. That includes social media sites and the government.
This lack of confidence is related to how the majority of people have already experienced a major data breach on a personal basis, according to the study’s findings.
The public's disillusionment and privacy concerns should have a strong response to return to a good working balance. The needed corrective measures need to come from the federal and state government, business firms acting in good faith, and also the consumers themselves.
In today's data-driven world, online businesses and websites should do their part by establishing stronger channels for data trust and consumer privacy.
The California Consumer Privacy Act is a more comprehensive and expansive privacy law that will help propel this movement towards increased privacy for consumers transacting with online businesses.
Table of contents
- What is the California Consumer Privacy Act (CCPA)?
- Why is the CCPA essential for online businesses and websites?
- Who needs to comply with the CCPA?
- CCPA key principles
- What does “personal information” mean under the CCPA?
- What is “the right to opt-in”?
- How to comply with the CCPA?
- CCPA non-compliance penalties and consequences
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act is a relatively new legislation meant to give consumers more control over the use and access of their personal information.
The law features more comprehensive statements on how to uphold principles relating to privacy protection and data integrity, including the right of consumers to restrict access and to know how the information is used.
The CCPA was signed into law in 2018. It is set to take effect on January 1, 2020, while enforcement of the law will begin on July 1, 2020.
Before its implementation, the Office of the Attorney General is holding four public hearings on the proposed regulations. All interested persons can present statements or comments regarding the proposed regulations to finalize the right procedures to facilitate new consumer rights.
Though a state law, its jurisdiction is not strictly limited to businesses and websites based or registered in California. In fact, the law can influence the operations of businesses and websites based in other states and even other countries.
The CCPA will apply to all businesses and firms meeting specific criteria, including the collection of data of an individual residing in California.
Why is the CCPA essential for online businesses and websites?
Consumers are constantly in need of ways to increase privacy protection and improve data security. The need for tighter safeguards is partly driven by headlining breaches in data security.
New data breaches and privacy concerns need to be addressed by increasingly innovative and effective policies.
Unfortunately, compared to consumers who are at risk of data compromise, firms have most of the power when it comes to collecting and retaining information in financial and commercial transactions.
The government has to step in with a strong law that upholds the privacy rights of consumers.
The full text of the law is on California’s legislative website and actually cites the March 2018 privacy breach involving the data-mining firm Cambridge Analytica. The CPPA is also partly inspired by the General Data Protection Regulation (GDPR) Act of the EU.
The GDPR imposed stronger rules on data protection to provide people with more control over their personal data, and it has put the EU at the forefront of data privacy. Note that companies that are already fully compliant with the GDPR can more easily comply with the CCPA.
The California Consumers Privacy Act provides consumers with a more active role in monitoring and protecting their own data through complex safeguards.
The law recognizes that consumers give up personal information in almost every hour of their daily life, from going to the hospital to attending a school or applying for a job, and even buying a car.
These transactions build up and put consumers in a vulnerable position in terms of data integrity and privacy. As such, it is becoming increasingly more important to protect consumers from the possible misuse of personal data.
Many firms may express apprehension regarding the CCPA’s chilling effect on the behavior of consumers.
For example, the reminder that their data will be collected and sold to third party users may demotivate consumers from transacting with the websites.
It may become more challenging to cultivate business relationships with California-based consumers. However, its long-term effect may be the opposite.
Through its implementation, the CCPA seeks to increase the trust of consumers in firms and the state and the federal government. Consumers are more likely to engage with online businesses and websites if they can see the commitment of both firm and government into making privacy possible.
The CCPA removes the uncertainty of the past. In effect, this law can also boost the willingness of consumers to share data, enhancing the innovation of data-based research and products in the long term.
Who needs to comply with the CCPA?
The California Consumer Privacy Act outlines new processes that businesses must comply with to ensure the safety of personal information. It clearly affects how businesses work and how operations and policies will play out within a company.
As such, firms who must comply with the CCPA must work as soon as possible to establish compliant internal processes for data handling.
Knowing whether or not CCPA applies to your online business or website is essential, given its implementation happening only weeks from now. However, it's important to note that the CCPA is likely to inspire similarly strong privacy laws in other states.
The CCPA applies to for-profit small to medium businesses within and outside California, which meet certain criteria. In fact, online businesses and websites don't even have to be based in the United States or Canada to qualify.
They only need to involve specific stakeholders under the jurisdiction of the state of California.
First, the firm must have current or potential customers in California. As such, companies based in Asia or Europe can be subject to the CCPA as long as California residents are in their marketing or targeted advertising.
The California Consumer Privacy Act explicitly defines “consumer” as a natural person who is a California resident.
Next, the CCPA describes businesses by model and type, nature, and revenue level and mix. To fall under the CCPA, the business must also meet at least one of the following criteria:
- Has an annual gross revenue equal to or greater than $25 million
- Receives, shares or sells personal information of more than 50,000 individuals
- Earns 50% or more of annual revenue from selling personal information of consumers
The CCPA still has limited jurisdiction. The privacy act does not apply if the collection or sale of personal information takes place outside of California in every aspect. To be exempt from the coverage of the CCPA, the transaction must involve:
- A consumer whose personal information is used or accessed was outside of California
- No part of the sale of information occurring in California
- No personal information collected while in California being sold to a third party, even when the third party is outside California
CCPA also does not cover insurance institutions, agents, and support organizations. These entities are subject to a different law, specifically California’s Insurance Information and Privacy Protection Act. The IIPPA, much like the CCPA, clarifies the standards for privacy and opt-out notices.
CCPA key principles
The CCPA is a complex act that has multiple layers and implications on the capabilities, processes, and expected compliance of firms. However, this act can be broken down into five basic principles or rights of consumers, which must be upheld.
- Right to know about the collection of information
- Right to know about the use of information
- Right to say no to the use or sale of information
- Right to access information and to request removal
- Right to equal service and price
These rights are protected under the CCPA in order to optimize the consumers' capacity to control how their information is used and accessed. Failure to uphold these principles can lead to serious penalties for the non-compliant firms, including civil lawsuits on top of steep fines.
What does “personal information” mean under the CCPA?
Personal information includes any data that identifies, describes, or can be associated with, or can be reasonably linked to a specific consumer or household.
Types of data include the name, postal address, email address, Internet Protocol address, driver's license number, professional employment-related information, and other similar information similar in purpose.
Aside from nominal or word-based information, data such as biometrics, audio recordings, visual, olfactory, thermal, and similar information are also considered personal data.
Facial recognition, which is increasingly becoming part of daily life, is also considered a type of personal information. Sleep habits also count as personal information under the CCPA.
Commercial information relating to transactions such as the purchase or sale of personal property or services should also be protected.
Other data that can be used to track and predict behavior, including internet activity such as browsing and search history, interactions with advertisements, and geolocation data, are also personal information.
It is important to note that the definition of personal information is qualified by the term “reasonably”.
That is, only data that can be reasonably linked or associated with a particular consumer or household is considered. It easily excludes information which may technically be associated with a consumer, but for which recognition in practice is quite unlikely.
Personal information also does not include data that has already been de-identified or successfully anonymized, as well as data legally obtained from the government.
Right to know about the collection of information
The first category of safeguards that must be established is facilitating the right to know about the collection of information.
The use of personal data is closely tied with the ideas of clear informed consent, which must be accessible and unambiguous as well. Consumers should know that their personal information is being collected for a specified purpose.
Online businesses and websites must have a clear and conspicuous link relating to the collection of personal information. Firms are duty-bound to inform consumers of their intent to collect data.
Right to know about the use of information
Beyond informing consumers of the intent to collect information, consumers also have the right to know about its consumption. Firms need to facilitate the creation of more informed consent.
Online businesses have to detail what types of personal information will be collected and how it will be used. They should also state whether the information is for targeted advertising, product development, or third-party use.
If a third party is involved, consumers also need to know with whom the information will be shared.
There should also be a separate line stating that additional categories of personal information will not be collected or used unless the consumer is again informed. In this manner, business policies should be as dynamic or responsive as possible to meet the evolving privacy interests of consumers.
Right to say no to use of information
As part of privacy protection and informed consent, consumers have the right to say no to certain use of information. It is also known as the “right to opt-out”, which comes in many privacy laws.
Businesses need to provide mechanisms to empower consumers to prevent their personal information being sold to third parties. They do this by placing a clear and conspicuous link on the homepage of the website. The link should state the option of users as "do not sell my personal information."
Right to access information
The CCPA seeks to give consumers more control over the use of their personal information.
This includes the recognized and protected rights of consumers to access their personal information. In practice, this means that firms must facilitate the disclosure and delivery of relevant information, all free of charge to the consumer.
Consumers also have the choice to restrict access to their personal information. They can request online businesses to remove any personal information that has been collected from them.
As part of this category, businesses and companies with an online presence need to have data tracking systems covering transactions and information collected in 2019.
The CCPA requires data tracking systems covering the previous 12 months, so firms that want to stay compliant need to update their systems as soon as possible.
Online businesses and websites also need to provide customers with more details about which categories of personal information are being accessed. Details that may be requested include:
- Sources of personal information collected
- The purpose for collecting information or for selling data to third parties
- Categories of third parties involved in the sale of personal information
- Specific pieces of personal information collected, stored and accessed
Right to equal service and price
Exercising the right to privacy is protected by CCPA. As such, consumers who choose to opt-out of data collection or to restrict access to their information should not be subject to penalty.
Under this category, firms are not allowed to charge consumers different prices or to refuse service or sale for the reason of exercising their privacy rights. The following acts are not allowed:
- Denial of goods or services
- Misuses of discounts or benefits
- Differing level or quality of goods and services
What is “the right to opt-in”?
The CCPA also recognizes a right to opt-in, specifically with regard to minors. Firms should not sell the personal information of consumers who are aged less than 16.
However, an exception stands if firms have positive affirmations regarding the use and sale of personal information.
Only the consumer, who is aged 13 to 16 years old, or their parent or authorized guardian, can opt into the use through the positive affirmation.
How to comply with the CCPA?
To ensure compliance with the CCPA, firms need to change their policies in preparation for the act's enforcement in 2020.
Small to medium online businesses need responsive database administrators who can create or substantially modify the current tracking systems of the firm. Aside from providing the regulations which enable the new rights of consumers, the CCPA regulations also provide guidelines on how businesses may comply.
Change towards compliance will take effort and time. The impact assessment done by the State of California showed that the overall cost of initial compliance with the new law will total to $55 billion.
Broken down into categories, smaller firms with less than 20 employees are likely to incur $50,000 in initial costs. Medium-sized firms will have an initial cost of at least $100,000. Meanwhile, larger firms with greater than 500 employees would have an average initial compliance cost of $2 million.
Firms have 30 days to comply with the law once notified of a violation. Fortunately, the CCPA has put forward some allowance for adjustment.
For example, data from human resources is considered partially exempt from stricter penalties for one year.
Companies that have already changed and strengthened their data practices to comply with the GDPR can more efficiently tweak their processes to comply with the CCPA as well.
As strong, pioneering laws in their respective jurisdictions, the GDPR of the EU, and the CCPA share many similarities in both principle and practice.
CCPA non-compliance penalties and consequences
Compliance with the CCPA is part of a greater commitment towards ensuring privacy protection and data integrity for Californians. Any reports of non-compliance with the new law are subject to careful review.
Failure to comply with the California Consumer Privacy Act can lead to civil action led by the consumer. The consumer can file a suit on the grounds of any of the following:
- To recover damages amounting to not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater
- For injunctive or declaratory relief
- For any other relief as determined by the court
The price of violating the CCPA is steep. Any person, business, or service that intentionally violates this title may be liable for up to $7500 for each violation.
Aside from a hefty fine or a civil lawsuit, the CCPA also allows for a class action lawsuit.
With such heavy consequences, it is better to be proactive about placing the complex safeguards as outlined earlier.
Even something as seemingly simple as a lack of a clear and conspicuous link on a company’s website can be grounds for a non-compliance suit, draining time, and effort away from the main business.
Striving for full compliance with the CCPA will be a work in progress as the state also establishes its mechanisms for enforcement.
As a complex, sweeping act on U.S. consumer privacy, it challenges both the meaning of information security on a broader scale and the operations of online businesses as well.
As the CCPA finds its way towards full enactment, firms and online businesses can invest in creating data storage and management systems.
These would show a strong understanding of the rights of consumers to know, access their data, restrict access or use, and many more.
In the future, highly-compliant businesses stand to gain from improved commercial relationships with California-based consumers.
- Updated on September 11, 2020