On June 28, 2018, California made headlines by passing the California Consumer Privacy Act (CCPA), formally known as AB-375. As one of the most comprehensive data privacy laws in the United States, the CCPA aims to protect the personal information of California residents. It places significant obligations on businesses that process the data of these residents, setting the stage for stronger consumer rights in the digital age. This law has laid the groundwork for future legislation, including the California Privacy Rights Act (CPRA), which is expected to take CCPA’s provisions even further.
The CCPA gives consumers the right to know what personal information is being collected from them and how it is utilized, including third-party sharing of that information. Consumers can also invoke their right to stop businesses from selling their data and request its complete removal. This proactive stance on privacy places California at the forefront of data protection in the U.S.
How Is It Different from the GDPR?
The CCPA is often compared to the General Data Protection Regulation (GDPR) implemented in the European Union due to their overlapping concerns about data privacy and protection. However, there are distinct differences in their approach. While GDPR tends to focus on obtaining explicit consent from consumers before data collection and processing, the CCPA operates more on the principle of opt-out. This means that while businesses must provide the option for consumers to decline data sharing, they do not need to seek prior consent.
Moreover, GDPR’s regulations are considerably stringent, including a requirement to report data breaches within a tight 72-hour window, whereas CCPA offers a broader view and places more emphasis on transparency. The CCPA empowers consumers with rights such as accessing their personal data, knowing where it goes, and even being able to sue companies for privacy violations, even if there is no breach. This level of consumer power represents a significant shift in the data privacy landscape.
Does CCPA Apply to Your Business?
Understanding whether the CCPA applies to your business is critical. The law affects any business operating in California that meets at least one of the following criteria: it has annual gross revenues of $25 million, processes the data of 50,000 or more consumers, or earns more than half of its revenue from selling personal data. This means that businesses based outside California can still be on the hook for compliance if they handle the data of California residents.
Some common misconceptions may lead businesses to believe they are exempt from CCPA regulations. For instance, if you think that not actively selling data or being already GDPR compliant makes you immune, you may want to think again. However, it’s worth noting that businesses in the insurance sector that are already regulated under California’s Insurance Information and Privacy Protection Act (IIPPA) have been exempted since April 2020.
7 Key Steps Leading to CCPA Readiness
For businesses that have already adapted to GDPR, getting ready for CCPA may still require a renewed effort. In fact, compliance efforts are expected to expand globally, affecting over 500,000 organizations. The enforcement has been active since July 2020, so businesses need to take specific steps to ensure they meet the requirements.
1. Understand What Personal Data Means Under CCPA
CCPA’s definition of personal data is broad and encompasses various identifiers. This includes identifiable data such as names and addresses, online identifiers like IP addresses and email addresses, social security numbers, and even commercial information like purchase histories. The law also incorporates information related to legally protected characteristics like race, religion, and sexual orientation, as well as biometric data and internet activity records. This comprehensive approach requires businesses to take stock of all types of data they collect.
2. Make it an Organizational Goal
Compliance with CCPA shouldn’t just fall to the IT department. Like GDPR, the CCPA necessitates a coordinated effort across various departments—legal, compliance, business, and technology all play crucial roles. Assigning clear responsibility to a chief compliance officer or data privacy officer will help in navigating the complexities of the legislation.
3. Reassess Your Data Processing Policies
A thorough review of your existing data policies is essential for compliance with the CCPA. This means comparing current practices against the requirements set forth in the CCPA and identifying discrepancies. Businesses must actively update their internal procedures to close any gaps that may exist.
4. Update Your Website Privacy Notices
Transparency is fundamental under CCPA. Businesses must ensure their privacy policies clearly explain how they collect and use consumer data. It’s imperative to inform consumers about their right to opt-out and the process for requesting data deletion. An elaborate privacy notice can cultivate consumer trust and ensure compliance.
5. Review Third-Party Data Flows
Businesses must have a comprehensive understanding of any data shared with third parties, whether through storage services like Google Drive or custom solutions. Organizations should know what data is being sent, why, and ensure that these practices align with CCPA requirements. Service provider agreements should also reflect these obligations.
6. Implement Reasonable Security Practices
CCPA mandates that organizations adopt reasonable security measures to protect consumer data. While this doesn’t mean every business must encrypt their data, it does require an assessment of current security practices. Companies should conduct audits to ensure appropriate measures are in place against potential breaches.
7. Establish a Process for Data Subject Requests
Consumers can submit requests under CCPA to access their data or request its deletion. Businesses must develop efficient processes to handle these inquiries effectively and promptly. Being prepared to manage these requests not only fulfills a legal obligation but also enhances customer experience and trust.