You might have heard about the news last January, a brand-new law in the United States that provides Californians more control over their personal information. The California Consumer Privacy Act (CCPA) is a data privacy law in the state of California that regulates how businesses globally can handle the personal information of California residents.
This law was effectively passed and implemented last January 1, 2020. This law grants Californians a various number of fundamental rights. This is for them to determine what personal information is being used, collected, and viewed about them by businesses they have transacted with.
This law is very important for consumers knowing that this helps in private protective data that may be exploited and used with malicious intent.
How does CCPA protect consumers?
Under CCPA, Californians have the right to opt-out of having their data being viewed, collected, or used by third parties whenever they transact with business, both foreign and domestic. They have the right to request a disclosure of data that is collected, and they have the right to erase it whenever their private data is collected.
Furthermore, Californians also have the right to get notifications and have the right to have equal services and prices for the products or services they are trying to purchase.
Businesses who fail to comply with the CCPA will result in a fine that amounts up to $7,500 for each violation and $750 for each affected consumer or user in civil damages. The Attorney General of California will be the one to enforce CCPA.
Why is CCPA important?
CCPA is considered as the country’s first consumer privacy act, according to several California legislators. There is no other state in the US that has given its constituents with a law that is very similar to the General Data Protection Regulation (GDPR). It offers not just protection, but transparency right that requires each company to provide information to their consumers or customers about the data that were collected, shared, and used.
Considering that California is the fifth-largest economy in the world with 40 million residents, CCPA is very important because any data privacy breach or security concerns will surely have a global economic effect.
CCPA is very similar to GDPR, which is enacted by the European Union. However, CCPA has a key difference from GDPR. Check out a shortlist below to learn more about it.
- Businesses are required to disclose personal data of the consumer that are disclosed, sold, or collected during a business transaction by informing the consumers. Businesses are required to inform the consumers of the categories of the personal data that they’ve used or about to use for transparency.
- Businesses are required to provide their consumers with access to their data upon request. They are also required to delete the personal data of the consumer after each transaction.
- Businesses should also provide their consumers with the ability to opting out of the sale of their personal data by providing a separate link to their website for consumers to opt-out.
CCPA can be applied to businesses that regularly collect personal data from their consumers, especially those that do business in California. This also covers the third parties that are part of a subsidiary or affiliated with the businesses located within California.
CCPA Compliance Checklist
CCPA creates a huge impact on the standards of privacy throughout the US. Businesses have different options for complying with CCPA. This ranges from the off-the-shelf solutions along with tools for transitioning their businesses easily to overpriced business consultants. However, the most important thing is for businesses to understand the legal requirements of CCPA for them to be more prepared for this brand-new law.
Businesses have claimed to have collected consumer data for them to provide their consumers with a more personalized experience when transacting business with them. However, because of the ubiquitous practices in the industry, consumers can’t see which personal data are being used, sold, and bought.
CCPA and GDPR are two of the most prominent and consequential legal remedy for concerns about businesses collecting individual private data from their consumers. CCPA mainly mandates businesses to be more transparent when it comes to data collection as well as monetization to prevent the manipulation and exploitation of their consumers.
Many compliance checklists need to be followed by businesses to avoid litigations and fines. Complying with CCPA will surely enhance a business’s brand because of its commitment to its consumers to a more transparent and more ethical data practices.
For those interested to learn about the CCPA compliance checklist, read a list we’ve compiled below.
- Regularly update your business’ privacy notices– CCPA strongly requires businesses to issue a notice that informs their consumers the type of personal information they need to collect and use and for what purpose it is intended to be. This notice should be explicit in informing consumers about their options to opt-out whenever their private data is being collected. Companies or businesses should update their privacy policies to provide descriptions for new consumer rights that are afforded under the CCPA. Businesses are required to decide on whether or not to create a separate policy for Californians or apply the CCPA-compliant policies for all of their consumers regardless of where they are situated. A lot of businesses find that extending their CCPA protections for their consumers or customers is a lot simpler when it is applied to parallel systems because of the risk of falling out of compliance unintentionally.
- Maintain your business’s data inventory– CCPA requires all businesses to establish and maintain a database for tracking the data processing activities of their products, devices, third parties, and other applications. Businesses that comply with GDPR is considered a good start in maintaining a database or data inventory. However, CCPA compliance also requires some additional steps. These are;
- Disclosing the categories of personal information that are being transferred to third parties
- Identification of data that are being sold
- Identifying the personal information covered by the HIPAA and the Fair Credit Reporting Act or any law that has exemptions for the data under CCPA.
- Identifying the data that were collected for more than a year before the implementation of CCPA that could be exempted.
Ensuring the consumers’ rights- There is a list of consumers’ rights that businesses need to follow under CCPA. These are;
- Right to know- Consumers have the right to be informed and have the right to request that a business that collected their personal or private information to disclose the categories of information that are collected as well as the sources from which it was being collected, and the purpose of collecting the data and the specific information that was collected.
- Right to notice- Businesses are required to properly notify their consumers about the different categories of information that they are collecting from their consumers and notify them about the purposes behind the data collection.
- Right to request- Consumers have the right to request for a business they have transacted with to disclose and provide them the personal information that businesses have used and obtained about them. Businesses have to verify first the individual or the consumers identify before fulfilling the request.
- Right to delete- The consumer has the right to request a business that they have transacted with to delete their personal information. The business should verify first the consumers identify and must delete the personal information they used and collected upon request.
- Right to opt-out- Businesses should allow their customers or consumers to opt-out of the sale of the personal data that are used. They must create a process to make it easier for the consumers to opt-out by having a separate link on their website to process this request.
- Right to equal service and price- Businesses are not allowed to deny goods and services against and cannot impose penalties to their consumers who are upholding their privacy rights.
- Update the security regularly– Penalties and fines await businesses who fail to update their security regularly. This is because thee liability for data breaches always relies on the business or the entity that collects the personal information of the consumers and not the third parties they have partnered with, such as cloud storage service providers. Companies must properly vet businesses for CCPA compliance before they sign any contract with them. Furthermore, businesses should understand how data is being moved from system to system for them to determine the points and their responsibility for data security and safety.
- Businesses should somehow exceed the minimum requirements– The regulations that are set under CCPA are just the bare minimum to avoid a business to be fined or penalized. The CCPA is just the tip of the spear in a new dawn of governmental oversight in the data industry. Clever businesses view CCPA as their chance in establishing a practice and security that strictly follows the compliance that is capable of adapting data protection easier.
- Train employees about compliance protocols– Under CCPA, it requires businesses that hold personal data to train their employees on the mandated data handling protocols and procedures. Online CCPA training is readily available for the benefit of all businesses, not just in California. There are also options for businesses to hire consultants to help them in bringing their company more familiar to the compliance protocols.