Everything You Need to Know About the California Consumer Privacy Act (CCPA) and How to Be Compliant

Introduction

As of June 2018, the state of California passed a new privacy law that could lead to more consequences for US-based companies than the European Union’s General Data Protection Regulation (GDPR). While the new California law doesn’t include some of the more severe GDPR rules like a 72-hour window for a company to report a breach, some would vote that the CCPA is actually stricter in certain areas.

The GDPR specifically requires businesses within the EU to protect personal data of EU citizens when data activities occur within EU member states, and it also regulates the export of EU citizen’s data outside the EU. The GDPR was put into place because of numerous high profile data breaches that have occurred within the EU in the past few years and the public’s concern for data safety.

According to a 2018 RSA security survey, out of 7,500 consumers within countries like France, Germany, Italy, the UK, and the US, 80 percent said lost financial and identity information was a top concern. With actual data breaches and the public’s stressed concern for personal information, one can easily see where the demand to enhance online privacy comes from.

The Transition of GDPR to CCPA

The GDPR’s ripple of integrity for personal data in many ways seems to have served as the foundation for the state of California to approve a similar bill, the California Consumer Privacy Act (CCPA). The CCPA can be seen as an act to help give users the power to choose if they give consent for their data to actually be collected. So while the GDPR forces companies to be extremely protective of their personal data, the CCPA looks to enforce that and more.

For instance, the CCPA is forcing the presence of a clickable link on all websites and apps that fall under certain criteria to have to be present on every accessible online page. The links usually say some text along the lines of “Do Not Sell My Personal Information” or something very similar. This link will act as the gateway to allow the user to do many things with their personal data, including removing any previously stored data from one’s system.

Business Updates Forced by the CCPA

With data access and data manipulation requests coming from the user, businesses will now be forced to organize all of the collected data in a way that will give them the ability to return a user’s collection of data. The CCPA requires companies to return requested data to a user in 45 days or less, or they will be subject to a penalty.

While this may seem like a simple request with that amount of time, it will cause many businesses a great deal of headaches. Subra Ramesh, SVP of Products at Dataguise, had this to say, “First the amount of data they collect is already massive and continues to grow, often in the hundreds to thousands worth of terabytes, and with enterprise-level organizations processing petabytes of data.” So it’s safe to say this request to return could be problematic for companies with larger sets of data.

The CCPA also requires companies to give users transparency into the sale of their data. The CCPA covers the previous 12 months of data transactions, meaning companies are required by this law to provide the names of every company to which they sell data. Tsopanis said this law update alone “Will change the privacy landscape in America forever.” Companies will no longer be able to hide whom they are involved with for data transactions. This amount of insight could potentially hurt a brand’s image based on where they sell users’ data.

What Information Does the CCPA Cover?

The CCPA has a broad definition of what it considers personally identifiable information (PII). The includes, but is not limited to:

• Internet browsing data. This includes browsing history, search history, or any information regarding a user’s interaction with a site, app, or advertisement.
• Biometric data. Any physiological, biological, or behavioral characteristics that can be used to establish a user’s identity. This can even include specific keystroke patterns.
• Geolocation. This could be data obtained from a browser or a mobile device.
• Unique identifiers. This includes IP addresses, telephone numbers, cookies, etc.

A Visual Example of How the CCPA Works

A typical website is likely to store a variety of information about the user upon visiting, most likely in the form of a cookie. These can be split into a number of different categories: first party, third party, performance, analytics, or general functionality. It is highly likely that the user’s personal information is used by these cookies, especially by third parties for advertising purposes. Under the CCPA, a user will be offered the ability to see a description of the types of cookies a site uses, along with the ability to opt-out of anything the site does not require to function.

What are the Consumers’ Rights?

Under the CCPA, consumers have these essential rights regarding their personal information:

• To be informed. A consumer has the right to request what categories of personal information are going to be collected, and to whom it will be shared.
• To access. A consumer has the right to access the specific information collected from them.
• To delete. A consumer has the right to request that a business delete the information collected from them.
• To opt-out. Consumers are allowed to request that companies not collect data from them
• To have equal service. No business can discriminate against a consumer for exercising their rights under the new law.

To Which Companies Does the CCPA Apply?

Personal data sales have been a primary & secondary source of revenue for many big-name companies. But as of January 1, 2020, this source of income and user information is no longer a guarantee. The CCPA law applies to many big-name companies across the US, not just ones with a presence in California. This is due to the CCPA’s criteria which enforce companies to be compliant if they have at least 25 million in annual gross revenue, or have personal data on 50,000 or more people/households, or if the company earns half of its revenue selling California user’s data.

Who Will Enforce the CCPA?

So with these new California state laws in place, who will be the one to ensure that these guidelines are followed? The attorney general within California will be in charge of enforcing the viral law against any company that breaks it, but there are multiple sources stating that the attorney general Xavier Becerra’s office will only have a limited number of resources to pursue a finite number of cases per year.

What is the Penalty for Non-Compliance?

Companies that are non-compliant with the CCPA will be hit with hefty fines. Specifically listed by the Attorney General, companies that are non-compliant 30 days after being informed are at risk of being penalized up to $7,500 per violation. So this means if you have 100 users, you could be at risk for being hit with a fine up to $750,000 ($7,500 x 100).

How to Implement and Become CCPA Compliant

There are many steps in regards to how one might implement the CCPA changes to their website and organization in order to be CCPA compliant.

• Start by preparing your consumer data. You’ll need to know the answers to the following questions: What personal data do you currently collect, how do you collect it, where and how do you store it, who do you share your collected data with? Do you sell it, and how often do those selling transactions occur?

• Adjust privacy policy pages to be transparent with the user. Updates to the page will include things like stating the personal data your company collects, stating any unique data points collected, where you get that user data from, the types of third parties you exchange data with, and your purposes on how you plan on using the collected information moving forward.

• Ensure customers are allowed to opt-out of data collection. This is done by adding the “Do Not Sell My Information” link on any accessible page on your site. This link will allow visitors to make requests to read, stop, or delete the collection of data you hold on them. These links should be wired up to fully working features that have access to all of your collective user data. Once the user clicks the link, they’ll then be able to request to see their current data or delete it. This process is dependent partially on how you prep for your consumer data and how you structure your data on your servers to handle these newly scoped queries.

• Plan out how your organization will handle customer requests and the process that will follow that request. The CCPA requires companies to answer data-related requests within 45 days. Some of these requests and services will range from the following:

• Explain in further detail what information your company collects and why.
• Provide opt-out options of personal data for customers that are 16 years and older.
• Provide opt-in options of personal data for customers that are 13-16 years old.
• Remove the personal data collections from customers that request to do so.
• Provide a method for guardians to consent for the sale of personal data for consumers that are below the age of 13. Present copies of personal customer data to requested users.

• Enhance the security around your currently collected data. The CCPA does allow for users to pursue legal action if your company has a data breach due to the lack of maintained security practices and measurements. These legal charges could put a huge dent in an employer’s finances and the brand that the public perceives a company to have with their data.

By following these guidelines, Levvel has helped multiple companies achieve compliance with data privacy and security laws such as GDPR, CCPA, PCI, and others. We provide the ability to partner from strategy to implementation with businesses that need to become compliant, or ones that want help polishing their already implemented processes. Our experience within this realm can make this procedure smooth and simple for businesses of any size. Contact us today to learn more about how our services could better prepare you to serve your customers and stay compliant.

What’s Next?

The next big announcement will come into play on July 1. This is the deadline for the attorney general to finalize regulations specifying what companies need to abide by in order to stay fully compliant with the law. Many businesses hope these regulations will help clarify the unclear aspects of this law.

In July, Californians will be allowed to sue businesses for specific data breaches, and the attorney general will be able to start enforcement actions. There are also rumors of a November ballot that could expand the privacy rights of the CCPA to bring even broader protection to online users.