The California Consumer Privacy Act (CCPA) is a data regulation law which regulates how companies and entities handle the personal data of the residents of California. This came into effect on 1st January 2020 and is a first of its kind law in the United States. The CCPA is hence also dubbed as Califirnia’s GDPR. This prompted all the companies in the US to follow the regulations and update their privacy policies as required. As estimated, the implementation of CCPA affected thousands of businesses who were collecting the personal data of approximately 40 million Californian citizens. The Californian Attorney General’s office is primarily responsible for the enforcement of CCPA on behalf of the California’s residents.
The CCPA follows these principles:
- Right to access.
- Right of notice.
- Right to opt-out.
- Right to deletion.
How to find out if CCPA is applicable to you?
The CCPA in general is applicable on any profit making business in the state of California which is collecting or processing personal data of the residents of California.
The exact determinants are as follows:
- If the annual turnover of the company is approximately $25 million or more.
- If the company is holding the data of fifty thousand or more consumers/devices.
- If the company is earning the major half of its revenue by processing personal information of the citizens.
- The CCPA is also applicable on organisations, bodies who own the company or even share a common trademark or branding, thus ensuring a wider jurisdiction.
How can you ensure CCPA compliance?
Even if a company is not based in California these laws might still apply to them if they are handling the personal data of the citizens of California.
Here are some steps you can take to ensure your compliance with the laws:
- Know how the CCPA affects your organisation
The CCPA is applicable to California residents and not on legal persons such as private businesses or governments. The Law mandates that the people know what data is being collected from them. The first thing to do is to understand how this applies to your organisation.
- Structure your collected consumer data
You can start by finding the answers to these questions, what data is being collected, how it is being collected, where it is being stored, who else has access to this data, are any other parties also having a share of this collected data. An organisation must be able to answer these basic questions regarding the collection of data. If your data is being handled by third parties then they also need to give you the answers to the above questions.
- Allow customers to decline
You must gain consent of your customer before selling their data, they must have an option to deny.
- Have a structure on how you will manage customer requests
The CCPA requires you to provide information to a customer if requested within a timespan of 45 days without any charges. You must be able to provide copies of personal information, delete data on request, explain how the data is being used, exclude persons under the age of 16, receive the guardian’s consent for consumers under the age of 13.
- Keep your software systems updated
It is highly likely that the implementation of CCPA will require you to put some updates in your softwares so prepare your IT team for all the required changes, for following the new procedures.
- Train your employees
You need to educate your teams about CCPA and it’s compliance, especially the ones who are in public roles. Your employees must know how CCPA applies to your organisation, how to process and collect data, how the laws apply etc.
- Prepare a plan to protect yourself from data breaches
The CCPA allows the consumers to file a case and claim damages in case of data breaches. This can deal a huge blow to your organisation’s business and reputation. Enhance your security measures, use encryptions and all forms of new technology applicable to improve the security. You also need a plan for a potential data breach and how to amend it as soon as possible.
Is someone exempt from CCPA compliance?
- The CCPA currently exempts some personal information collected by businesses from natural persons in the process of job applications, when the person is acting as an employee, owner, director, medical staff member.
- Business to business (B2B) transactions and related communications done for the purpose of due diligence for providing a product/service in partnership or non profit roles are also exempt from CCPA compliance.
Booths of these exemptions were set to come to an end in December 2020 but recent legislations in the State of California extended these till January 1, 2022.
What happens if you fail to comply with CCPA?
The most major theme of CCPA is focused on consumer rights. You and your teams must know about the laws, your duties and your customer’s rights.
Notice and Resolving period
A consumer wishing to file a complaint about any violation must do so in writing and provide a 30 day notice with it. This leaves the business with a timeline of 30 days to resolve this violation. If an organisation fails to rectify a violation then the consumer has to file a right of action with the Attorney General with a month’s notice. From here on the further process is based on the discretion of the Attorney General. If a consumer is not satisfied with the decision of the Attorney General they can follow their own suit.
Fines for Non-Compliance of CCPA
- For intentional violations a sum of $7500 can be brought.
- For unintentional violations a sum of $2500 can be brought.
- Consumers themselves can file their own lawsuits to claim damages ranging from $100 – $750, depending on whichever amount is higher.
- It may seem that the above mentioned sums might not be a big amount for tech giants but imagine a scenario where a big company causes a data breach and personal information of 1,00,000 individuals is at risk, so it rounds up to a huge amount of money when a fine of that amount will be put for so many people.
The CCPA is one of the most recent laws in the interest of privacy of individuals. We are living in a digital age and it requires digital rules to regulate it well. CCPA was drafted incredibly rapidly for political and calculated reasons, and making a successful law of such expansive reach is an authoritative test under any circumstances. CCPA’s entry has effectively been trailed by various changes with the expectation to explain, smooth out, and defer requirements of specific parts of the law, yet numerous ambiguities remain.