CCPA Compliance Requirements
The CCPA mandates organizations to implement different procedures within their company. This involves the right to access, delete, opt out of the personal information sale, opt-in for children, as well as the non-discrimination, and changes to a consumer’s privacy notifications.
Right to Access
Companies that are subject to the CCPA are required to honor the requests of the customers regarding their personal right to access personal information. The process for disclosure of the requested information needs to be free for the consumer and should be sent either by electronic or physical mail.
The CCPA has established limits to this right of access. Consumers can use their right twice a year. This means that companies are no longer required to honor the requests if the consumer has done so more than two times within a span of twelve months. Companies are also not required to keep personal information just to comply with the requirements of the law.
Right to Delete
Companies that are subject to the requirements of the CCPA are obliged to honor the request of the consumers regarding their personal right to delete personal data. Nine exceptions on this right to delete grant an organization the right to deny a request.
Right to Opt-Out
Companies that are recognized a subject to the CCPA are required to present a conspicuous and clear link with the title “Do Not Sell My Personal Information” in a visible location on their website, as well as in their privacy policy. This requirement started on January 1, 2020. This link should offer the customer the option to opt-out of the sale of their personal data.
On top of that, companies should not force their consumers to make an account just so they can opt-out. They are not allowed to utilize any gathered information on the consumer at the opt-out transaction. Companies need to wait at least twelve months after the opt-out process is completed before starting to invite the consumer to opt back in to the sale of their personal data.
In the state of California, consumers are given the right to opt-out of their personal information sale. For this type of sale to happen, there is no requirement for an exchange of money. It is clearly stipulated that disclosure at any time, whether electronically, written or orally, will be considered as a sale.
Right to Opt-In for Children’s Information
In contrast to the standard opt-out process that requires a consumer to ask for the right to opt-out, companies should expressly gather the consent of children below the age of 16 to sell their personal information. Consent from the parent is also needed for children below 13 years old.
This means that children below 16 years old are not required to opt-out so as to protect their sale of personal details. This information is not sellable unless it is clearly authorized. A company that is subject to the CCPA cannot disregard the age of the consumer willingly so as to proclaim that they did not know anything regarding the transactions involved using a child’s information. As such, they will likely need to ask the consumers of their age so as to comply with the needed restrictions.
Privacy Policies and Notifications
According to the guidelines of the CCPA, companies are required to disclose the specific categories of personal information that is collected, along with the purpose of their collection and potential use. Also, companies that sell the personal information of consumers are required to inform those consumers of the possibility of their personal information being sold. This should go by informing them of their right to opt-out. According to the new CCPA guidelines, companies are given 18 months to comply with this regulation.
Potential Consequences of Non-Compliance
A violation of this regulation for the purpose of lawsuits happens if a company receives a notification of this alleged non-compliance while failing to cure this violation within a period of 30 days. Intentional violations of the guidelines may result in civil penalties that could cost a company up to $7,500 for every violation.
For consumer lawsuits involving statutory damages, the fine levied is between $100 and $750 for every consumer per incident or the actual damages, whichever amount is higher. This lawsuit applies only to specific personal information disclosures where a company failed to maintain or implement reasonable practices and procedures involving security.
Conclusion
If your company is conducting business in California, and are collecting and storing personal information, note that you are also subject to the CCPA. This means that you need to start considering how your business collects the personal data of the residents and citizens of California, and what you need to do to comply with the requirements. A clear path that is defined towards compliance will help you avoid any legal, financial, and reputational problems that are a result of not complying with the requirements of the law.
