Ensure CCPA Compliance With These 3 Factors
In 2018, California passed Ab-375, also known as the California Consumer Privacy Act (CCPA). The passing of the CCPA came right on the heels of the historic General Data Protection Regulation (GDPR) passed by the European Union. Both laws are personal data protection laws meant to help protect the privacy of online users. The CCPA took effect this year, which means that businesses collecting data from consumers in California must abide by its regulations or risk non-compliance, which can result in various consequences.
However, not all companies must comply. Three main criteria determine whether your business will have to comply with the CCPA:
- If your annual revenue is at least $25 million.
- If you have collected the personal data of at least 50,000 consumers, devices, or households in California
- Or half of your revenue comes from selling the personal data that you collect.
If your business meets any of these three criteria, then the business must comply with the CCPA.
Businesses who fall under the scope of the CCPA who are found to be non-compliant can be sued by consumers who were affected for statutory damages that range from $100 to $750 per violation or the amount of the actual damages, depending on which was greater. Additionally, the business may be fined upwards of $7,500 per violation by the Attorney General. To avoid potentially stiff fines, make sure that your company takes into account three considerations to remain compliant.
What Prompted The Drafting of AB 375
Consumers have become more and more dependent on the Internet over the years, to the point where they consistently provide websites with their personal information without even realizing it. For example, they regularly give their names, email addresses, and credit card numbers (commonly provided to e-commerce sites). Websites collect other data as well that consumers may not be as aware of, such as any information displayed on their social channels and their online behavior (what websites they visit and what actions they take on those websites).
Personal consumer information is valuable to companies who are attempting to identify who their target audience is and how to improve their marketing efforts. Unfortunately, many websites will also turn around and sell this information to third parties. Sites that do not have proper security measures in place are prone to having their data stolen. Inadequate security can lead to consumer data being used for credit card fraud or identity theft.
Over the past few years, there have been several highly publicized instances of data theft, such as the Equifax breach, which exposed potentially millions of people’s personal information, including their social security numbers. There has also been ongoing controversy surrounding Facebook and its data collection practices. Californians became aware of these issues and signed a petition (which received 629,000 signatures).
In California, citizens are allowed to propose new laws to be voted on in future ballots. For a proposal to go through, citizens must put together a petition and accrue enough signatures. The petition that eventually resulted in the CCPA requested that the state government draft a privacy act providing Californians with more control over their personal information.
Key Regulations of CCPA
The CCPA is comprehensive and considered one of the strictest data privacy laws in U.S. Compliance. To remain compliant with the CCPA, you will need to abide by all of its regulations, which will be difficult if you do not understand all of the law’s components.
The following are the critical components of the CCPA that every business that falls under the law’s scope should familiarize themselves with:
Addressing Customer Requests
The CCPA gives consumers in California the right to request information concerning their data privacy from any website that collects it. First, consumers have the right to ask what data you’re obtaining from them and whether or not you’re selling that data or sharing it with third parties. Secondly, consumers have the right to request that you delete certain information or to opt-out of having their data collected and shared with (or sold to) other parties. Finally, although you can provide financial incentives to consumers in return for permission to collect information, you are still required to provide equal service and price to consumers who exercise their privacy rights. You cannot punish consumers for requesting that you stop collecting or sharing their data.
To comply with the CCPA, you must fulfill the consumer’s data privacy requests, which can be a real challenge if you don't properly organize the data you're collecting. Improper organization may mean that you're storing your data on different platforms in a variety of different file names. Cross-silo file management is essential to fulfilling user requests.
There is also a time limit for fulfilling consumer data requests. The CCPA dictates that businesses have 45 days to provide consumers with a report that fulfills their request. This report must include the information that you have on the consumer and whether you're selling that information. Unlike the GDPR, the CCPA also requires you to disclose what third parties you're selling their data to. You will also have to provide the names and addresses of those third parties. Any information that you provide to your users must cover the past 12 months.
Not all consumers understand the process of making a data privacy request. With this understanding, the CCPA allows consumers to use authorized agents to submit a right-to-know request or a request-to-delete order. Authorized agents are individuals or business entities registered with the Secretary of State that are allowed to act on behalf of the consumer they are representing. Authorized agents must have written authorization from California residents that they are representing. The resident may also need to verify their identity. However, any authorized agent that has a power of attorney does not have to submit proof of authorization.
To prevent thieves from requesting potentially sensitive consumer data that they can then leverage to commit fraud, you will need to verify data privacy requests. The last thing you’ll want to do is to provide personal information to anyone other than the person it belongs to or their authorized agent. The CCPA requires that you have methods of verifying the identity of the person making the request. There are plenty of tools out there that provide various ways for identity authentication, such as email verification, verification based on personal information, or the use of multiple-choice questions to verify identities.
Provision of Notices
The CCPA doesn’t just require companies to address the data privacy requests of residents in California. The law also requires companies to provide proper notice that they are collecting user data. More specifically, you will be required to provide proper notice at or before the point of collection. This notice must also disclose the categories of personal information you’re collecting and what you are using it for (such as whether you’re using it to improve your website experience or to sell the data to third parties).
Finally, although you cannot punish consumers for exercising their data privacy rights, businesses are allowed to charge different prices or rates, as well as provide different quality of goods or services, if the difference is reasonably related to the consumer’s data. The value that you provide to consumers must be directly linked to the data they provided. If this is your practice, then you must also provide all consumers with a notification of financial incentives. Offering financial incentives in return for consent to collect data from a consumer is also allowed.
Maintaining the Information of 4 Million or More Consumers
Although you will still have 45 days to respond to data privacy requests, if you are maintaining the data of 4 million or more consumers, you will be required to provide a placeholder response to any requests within ten days.
For Service Providers
If your company is considered a “service provider,” then you may not be collecting personal information directly from consumers; however, this doesn’t mean that the CCPA doesn’t apply to you. The term “consumer” under the CCPA refers to any natural person who is a resident of California. The CCPA still applies if a company that provides a service to another company is collecting personal information from their contacts at that company. Just because you’re a B2B business does not mean you’re not collecting personal information.
Service providers also cannot keep, use, or disclose personal information that they are collecting for any other purpose than performing the service that is specified in their business contract. Any service provider who obtains personal information via a contractual agreement must abide by the CCPA. If they use the information in a way that violates the law, they will be liable for those violations. However, service providers will not be held liable if the business that they are working with shares personal information with them in compliance with CCPA obligations. For example, if you’re a service provider and a company you’re working with doesn’t delete the personal information of a consumer who requested that they do so, you will not be held liable for holding that personal information.
As for CCPA violations that a service provider is responsible for, penalties are similar to those of any other company found to be in violation. In addition to potentially facing injunctions, a service provider can be penalized upwards of $2,500 for every violation and upwards of $7,500 for every intentional violation. If you violate the CCPA, you will have 30 days after you’ve received notice of the violation to make the appropriate changes.
Training and Keeping Records
You won’t be able to remain compliant with the CCPA’s requirements if you don’t properly train the employees that handle your consumer data privacy requests. You will need to train these employees to process requests promptly, to respond appropriately, to monitor requests, and to update your data inventory when fulfilling requests.
On top of additional employee training, you will also need to maintain a data inventory. Use this database to monitor all of your data processing activities, including all business processes, applications, products, devices, and third parties that process the personal data of your consumers.
Considerations to Make To Achieve Compliance
1. Increased Disclosures
2. Website Updates
Your website is the primary method through which you collect consumer data, so you must update your site regularly to remain compliant with CCPA. Fortunately, the CCPA does outline what companies have to do to ensure that their website remains compliant. These items will need to either be added to your website or updated when required to achieve and maintain CCPA compliance:
- If you’re collecting consumer information.
- What kind of consumer data you’re collecting (for example, names and email addresses).
- The reason why consumer information is being collected.
- How you’re collecting consumer data and how you’re processing the information.
- Clear instructions on how people can request access, change, or delete the personal data that you’ve collected from them.
- What method you use to verify the identity of anyone who makes a data privacy request.
- Whether or not you’re sharing or selling consumer information.
- Instructions on how users can request that you stop sharing or selling their personal data.
Keep in mind that if you change the way you collect, use, or share consumer data, then you will need to update your policy.
As previously mentioned, unlike the GDPR, the CCPA doesn’t require consent -- unless the user is under a certain age. If the user is between 13 and 16 years old, then you will need to ask permission from the user to collect and use their data. If the user is under the age of 13, then you will need to request consent from their parents.
Method of Verification and Opting Out
First, you need to be able to verify requests to access or delete data. If you don’t, anyone can request anybody’s personal information, leading to instances of credit card fraud or identity theft for which you don’t want to be held liable. You can use a variety of different measures to verify requests, such as by requiring email verification or using multiple-choice questions to validate a person’s identity.
Then, once a user is verified, you will need to give them a method to request their personal information. You can do this by providing an email address or a web form that they can fill out. Many websites will also add an opt-out link on their homepage labeled, “Do not sell my personal information.” However you choose to do it, you need to make sure users can easily find the method for opting out.
3. Data Maps
To ensure that you are capable of fulfilling requests to access, change, delete, or stop sharing or selling data, the consumer data that you’re collecting needs to be properly organized and accessible. Otherwise, you will have trouble fulfilling data privacy requests, which increases the risk of non-compliance. Data mapping is the process of matching data fields from one database to another and will help standardize your data, reduce potential errors, and make it a lot easier to understand.
The CCPA requires companies to use data mapping so that you can correctly match any sensitive data you have to the identity of the California-based user associated with it. Data mapping allows you to identify data subject records within all of your different data sources. It can match and link consumer records across sources and systems, giving you a much better understanding of what data you have, how you’re using it, who you’re sharing it with, or to whom you are selling it. Data mapping is integral to providing the proper data privacy disclosures and to fulfilling user data privacy requests.
Control Your Risk, Be Compliant
Collecting consumer data is a very commonplace practice. It’s the data that you obtain that allows you to identify and analyze your target audience, enabling you to improve your marketing, sales, and customer service strategies more effectively. However, if you are collecting data from residents in California, then you have a legal responsibility not only to keep that data secure but also to inform users about your data collection practices. By remaining compliant with CCPA, you will not only avoid potentially stiff fines as a result of violations, but you’ll also increase brand trust and help limit the risk of data theft. It only makes sense to put the necessary training, methods, and tools into place to ensure CCPA compliance.
Ensure minimal risk and a high ROI by partnering with technology, contact us today!