Data privacy has become a hot topic in recent years, especially with major controversies surrounding massive data breaches and the sale of personal information making headlines across the globe. The issue of data privacy is why the GDPR passed in Europe. While there are no expansive federal data privacy regulations, states are beginning to enact their own data privacy laws. One of the most comprehensive of these is the CCPA (California Consumer Privacy Act), which passed in 2018.
Most businesses collect user information in one way or another, either by email opt-in forms or by monitoring user behaviors on their websites. This makes it easier to understand who your customers are and adjust your marketing and sales efforts accordingly. However, if you are collecting user data in California, then you may need to investigate whether or not you comply with the CCPA, which went into effect in January 2020.
What Is CCPA?
The CCPA, which is more formally known as AB-375, is an act that passed requiring businesses collecting consumer information in California to be more transparent about their data collection practices. The law came about when California residents signed and submitted a petition (which is how residents can propose new legislation in the state) requesting better consumer data protection. Not only does the CCPA require businesses to disclose what data they’re collecting from users in California, but they are also required to fulfill any requests that those consumers have in regards to how they’re using that data. Finally, if the privacy guidelines outlined in the CCPA are violated, then consumers have the right to sue the company even if no data breach occurred.
What Does The CCPA Cover?
The CCPA is a comprehensive law covering data collection transparency and requirements. It covers the type of data collected, the types of businesses that must achieve and maintain compliance, the rights that consumers in California have regarding their personal data, what companies need to do to comply, and what the penalties for non-compliance are. The following is a more thorough breakdown regarding the CCPA and how it might affect your business.
What Types Of Businesses Are Affected?
The CCPA doesn’t apply to every business that collects data from users in California. Some businesses are exempt from compliance. Companies that must achieve and maintain CCPA compliance are those that meet at least one of the following three criteria:
- Your business takes in a minimum of twenty-five million dollars in annual revenue.
- You’ve collected personal data from at least 50,000 users.
- Your business generates at least half of its annual revenue from selling personal data.
What Data Is Covered By The CCPA?
The CCPA covers all types of personal data, including personal names, usernames, passwords, phone numbers, physical addresses, location, IP addresses, device identifiers, and more. And any information that you collect that characterizes a user, such as their marital status, age, race, sexual orientation, or religion are covered. If you’re collecting biometric data, such as facial recognition data or fingerprint data, CCPA compliance will also be required. Finally, behavioral data, including browsing history, falls under the scope of the CCPA as well.
The CCPA regulates most of the data that you're collecting from California-based users. The only exempt data is data found in public government documents; however, this is only if you’ve obtained that data directly from government records and not other sources. For example, if you found out that a user is married based on their government records, that data is not covered by the CCPA, but if you found out that information from the user’s social media page, then it is covered by the CCPA.
What If Your Business Is Not Based In California?
Just because your business isn’t located in the state of California does not mean that the CCPA doesn’t apply to you. If you’re collecting any information from users who are in California, then you must comply with the CCPA’s regulations. However, if a resident of California is outside of the state when you collect their data, then the CCPA doesn't apply. For example, if a California resident is on vacation in Utah when they visit your website for the first time, then you are not legally obligated to comply with the CCPA. But if that resident returns to California and revisits your site, then you will be legally required to achieve compliance, or you will face potentially stiff penalties.
The Rights Of Californians That CCPA Protects
The CCPA provides users in California with three rights that provide them with control over what happens to their personal data. Businesses must recognize these rights by not only replying to users within an appropriate time (there is a 45-day period within which companies must comply with requests), but they must make it easy for users to submit such requests as well. With that in mind, these are the three primary data privacy rights granted to residents of California under the CCPA:
The Right To Know Which Personal Information Are Collected From Them
Users have the right to know what kind of data you’re collecting on them. Some companies may only be collecting basic data, such as the user behaviors on their website, along with any information that they submit through their forms, such as names and email addresses. Other businesses may be collecting much more personal data, such as smartphone locations or voice recordings. Companies must provide California-based users with the categories of personal data that they are obtaining. Users can also request to see specific pieces of data, such as detailed logs of their online activities that the company has maintained. Under the CCPA, users can request that you delete any of this data -- and you will be legally obligated to fulfill this request.
The Right To Know If Their Personal Information Will Be Shared or Sold
Many companies will either share the data that they are collecting or sell it to a third party. Under the CCPA, users in California have the right to know what you’re doing with their personal information. If you’re sharing or selling it, then you must disclose that you are doing so, and you must inform users about which third parties you’re sharing or selling their data to upon request.
The Right To Say No To The Sale Of Their Personal Information
If you are selling or sharing personal data, California-based users have the right to request that you stop doing so, and you are legally obligated to fulfill that right. You need to make it easy for users to make such a request by providing an “opt-out” link.
What Are The Key Privacy Provisions In The CCPA?
In addition to outlining the data privacy rights of consumers in California, the CCPA also has several key privacy provisions that businesses must follow, including:
- Consumers have the right to choose not to have their data shared, which means that your business will need to be able to separate the data that you collect based on the privacy choices of your users.
- You cannot refuse equal service to your customers based on their privacy choices, meaning that you cannot punish users for not allowing you to sell their personal information. However, you can provide incentives to your users in return for allowing you to collect, use, share, and sell their data.
- Because most businesses collect data from a variety of sources, data mapping will be required to organize personal data carefully. Otherwise, it may be challenging to fulfill consumer requests to access or delete their personal information.
- When a user in California requests their personal data, you must provide a comprehensive report to that user within 45 days. This report must include what type of information they have, and the names and addresses of any third parties they’ve sold the information to (or shared with) over the past 12 months.
When Do Businesses Need To Start Complying?
Although the CCPA passed in 2018, it didn’t go into effect until 2020. All businesses that meet the criteria outlined by the CCPA and that are collecting data from California-based users must begin achieving compliance right away. However, if your company doesn’t meet any of the three main criteria but is still collecting personal data from California residents, you may want to consider taking measures to become compliant either way. The sooner you become compliant, the easier it will be to maintain compliance once you do meet one of those criteria (which is bound to happen if your company continues to grow).
What Happens If Businesses Don’t Comply?
If your business falls under the scope of the CCPA and you do not comply with its regulations, then you may be penalized. You can be fined up to $2,500 for each violation of the CCPA. If the violation was intentional, you could be fined $7,500 per violation. As a result, if you ignored the request of hundreds of users to delete their personal information, your company could receive an enormous fine. The State Attorney General will investigate companies that are suspected of violating the CCPA. If you receive a notification of a violation, then you will have 30 days to comply.
Fines from the Attorney General aren’t the only thing to worry about. The CCPA provides users with the right to sue if they can’t find out what personal information you’ve collected, are refused access to their personal records, or aren’t presented with a way to opt-out of having their data sold or shared. Not only can individual users sue for damages, but they can sue as part of a class-action lawsuit as well. The CCPA indicates that consumers are entitled to sue for damages of $100 to $750 per incident or actual damages, whichever is greater.
Added up, all of these potential fines and damages can amount to a significant amount of money. And that’s without mentioning the associated legal costs.
Manage Your Risk Exposure, Be Compliant
Finally, by achieving CCPA compliance, you’ll reduce the risk of being fined by the California General Attorney. You will also limit the risk of being exposed to civil and class-action lawsuits, both of which can not only hurt your business financially but which can also do irreparable harm to your company’s reputation.