It’s a new year and a new decade. January 2020 isn’t just for hitting the gym and filling in your fresh planner pages, though. It also ushers in the introduction of the new California Consumer Privacy Act (or CCPA for short).
As of January 1, 2020, CCPA is in effect. Many people, especially business owners, have been preparing for this for a while now. Some are still getting all their ducks in a row, though.
No matter which side of the fence you’re on, it’s important to be informed about CCPA so you don’t find yourself being penalized later. Read on to learn everything you need to know about the California Consumer Privacy Act now that it has become a reality.
What Is CCPA?
Let’s start with the basics. What is CCPA?
The California Consumer Privacy Act is all about changing privacy regulations for the American people. Now that CCPA is in effect, customers are allowed to require companies to inform them about the specific personal information they’ve collected. Consumers now also have the right to require companies to delete the data they’ve collected, as well as forbid them from sharing that data with third-party companies.
On the flip side, businesses now have to do more when it comes to letting consumers know what kind of data they collect from them.
Why Is CCPA Such a Big Deal?
Prior to CCPA, there wasn’t much regulation when it came to the data companies collected, as well as what they did with that data. In some instances, regulators could and would step in, such as in the event of a major hacking or a company doing something questionable with consumer data. For the most part, though, people were on their own.
Now, with the California Consumer Privacy Act in place, American consumers are in a similar position to European consumers after the enactment of the GDPR (short for General Data Protection Regulation) law, which went into effect in 2018.
How Does CCPA Affect Average Consumers?
With CCPA firmly in effect, consumers now have more rights when it comes to the data that companies collect from them, as well as what companies can do with their data. CCPA grants consumers the five following rights:
1. The Right to Request Disclosure
First, consumers have a right to ask companies whether their personal data is being collected. They can ask about the specific collection and sales practices associated with their data.
They can also ask about the types of data and personal information that are being collected, the source of the information, how the company is using it, and whether the information is being disclosed to third parties. If the information is being disclosed, consumers can ask for specific information regarding the type of data, as well as which third parties have access to it and what they do with it.
2. The Right to Request a Copy of Data
Not only can consumers ask questions about whether data is being collected and shared, but they can also ask for copies of that data. CCPA gives them access to data that was collected within the 12 months prior to their request.
3. The Right to Deletion
Consumers now have the right to ask for their personal information to be deleted.
4. The Right to Request Data Not Be Sold
Consumers who don’t want to have their personal information deleted can also request that their data not be sold to third-party companies (this is only applicable in the event that the company is, in fact, selling data to other companies).
5. The Right to Freedom from Discrimination
Consumers also have the right to not be discriminated against for invoking these other rights. For example, a company cannot refuse services in the event that a consumer asks for their data to be deleted or not sold. They also cannot charge a consumer for their services at a higher price.
How Does CCPA Affect Businesses?
It’s clear that CCPA affects consumers in a significant way. It obviously will change the way many companies do business in 2020 and beyond, too.
The following are some specific ways that CCPA will affect companies of all kinds moving forward:
Review of Procedures
For starters, businesses are going to have to conduct a thorough review of the procedures they currently have in place with regard to privacy and data collection. The specific procedures companies will have to evaluate include:
● Information security guidelines and practices
● Processing of personal data
● How access requests are honoured
For large companies with tons of employees, these kinds of reviews might not be a huge deal. They’ll be a nuisance, sure, but the businesses also have the manpower to handle them without too much trouble.
The same is not true of small businesses, which will have to dedicate a significant amount of time and effort to procedural reviews to ensure they’re in compliance with the new laws. This can take time away from other important parts of the business.
Increased Expenses
Not only is it time-consuming for businesses to review their procedures and make changes to ensure compliance, but it can also be expensive.
There are a lot of costs associated with updating privacy policies, making changes to websites, and implementing new procedures to streamline the data access requests that may soon be coming in. Businesses can easily spend thousands of dollars (if not tens or hundreds of thousands) on these processes.
Again, for a large company, these extra expenses related to privacy CCPA web development and procedural changes might be irritating, but they won’t be particularly cumbersome to their bottom line. Small businesses, though, may experience significant setbacks trying to ensure they’re compliant.
Navigating Murky Waters
Finally, CCPA is not as clear as it ought to be considering the major changes it’s making to the rights consumers have with regard to their personal data.
There are a lot of vagueries that will be difficult to enforce and that could be used to penalize small businesses that don’t have access to robust legal support. For example, there is ambiguity when it comes to the definition of “personal information”, as well as the definition of “sale” -- it’s unclear what qualifies a data transfer as being done for “value.”
CCPA FAQ
There’s still quite a bit of confusion surrounding CCPA, and understandably so. To help clear some of this up (as much as we can, at least, considering the lack of clarity mentioned above), here are answers to some commonly asked CCPA questions:
Why Doesn’t It Apply Only to California?
At first, companies outside of California might assume that they’re safe and don’t have to worry about CCPA. That’s not exactly true, though. CCPA also applies to all companies that do business with California residents (both in the US and abroad).
Considering the fact that California is the fifth-largest economy in the world, it makes sense that companies nationwide will make sure they’re CCPA-compliant rather than ceasing to do business with all of their California customers.
The other option would be to create separate systems for Californians and non-Californians, but that would be an even bigger hassle than simply make sure a company is CCPA-compliant in the first place.
Which Companies Have to Comply?
There are three types of businesses that must comply with CCPA:
● Those that earn more than $25 million in gross revenue
● Those that have data on more than 50,000 consumers
● Those that make more than 50 percent of their revenue from consumer data sales (for example, data brokers)
At first, this seems like it’ll spare a lot of the small business owners concerned about how becoming CCPA-compliant will affect them. Thanks to the ambiguous nature of CCPA, though, more companies will be affected than one might initially think.
Fifty thousand consumers is a smaller number than it seems, for example. A business that serves a mere 150 people per day will easily surpass 50,000 by the end of the year.
What Kind of Data Can Consumers Request?
There’s a lot more to the data that consumers can request beyond their name and email address. The list of personal data that companies must disclose (and potentially delete) includes the following:
● Biometrics
● Products purchased
● Products considered for purchase
● Internet browsing data
● Academic and employment-related data
● Geolocation data
Companies also must disclose and be delete inferences made the create a profile for an individual that reflects their preferences.
What Happens If a Company Doesn’t Comply?
If a company doesn’t comply with CCPA, they could be subject to some hefty fines. Intentional violations will yield a penalty of up to $7,500 (it’s up to the Attorney General of California to enforce this rule).
Individual consumers can also sue companies for between $100 and $750 in the event that the company is hacked and appears to be careless with their personal data. This might not seem like a ton of money at first. It can add up very quickly, though, especially in the event that a massive data breach takes place.
What Can Businesses Do to Be CCPA Compliant?
If your business falls into the category of companies that must comply with CCPA and you want to avoid the penalties mentioned above, you’ll need to take steps to ensure you’re abiding by the new law. Here are some specific actions you ought to take right away to be CCPA compliant:
Establish Processes for Consumer Requests
First, businesses need to make sure they have clear processes in place to help them handle consumer requests for data.
They need to have a way to access that consumer’s data (dating all the way back to January 1 of 2019) right away and respond to their request in an efficient manner. It’s also important for them to have a plan in place for deleting that data should the consumer ask them to do so.
Putting these processes in place and making sure they work in an effective and efficient way will take time for businesses of all sizes. This is why it’s imperative that companies get started as soon as possible if they haven’t already begun.
Revise Privacy Policies
Businesses will also need to make updates to their privacy policies to reflect the regulations put in place as a result of CCPA. These companies and will need to make it clear that consumers have a right to ask for their information and ask for it to be deleted.
Revising a privacy policy, or any kind of company policy can be tricky. Business owners should meet with their legal team as soon as they can to update their policies and ensure that there aren’t any gaps that could get them in trouble later.
Revise Your Website
In addition to revising privacy policies, businesses need to update their websites, too.
It needs to be easy for consumers to opt-out of having their data collected or shared, for example. This means having a visible link that directs consumers to the place where they can opt-out, as well as making it easy for them to request copies of their personal data that have already been collected.
The addition of these opt-out links might not seem like a big deal. They’ll require the services of a web developer to ensure they get done correctly, though, and comply with the specific requirements put in place by CCPA.
Reach Out to Vendors and Partners
Most businesses do not handle all aspects of their website development and data collection in-house. They likely work with web developers, IT professionals, and other third-party companies or contractors to get things done.
To ensure everyone is on the same page and acting in the best interests of the company, it’s imperative that business owners reach out to their vendors and partners to discuss the changes that need to be made in response to CCPA going into effect. They might want to work with a professional (or team of professionals) that specialize in privacy CCPA web development, too.
Start Complying with CCPA Today
Now that you know more about CCPA and the effects it has on both average consumers and businesses, it’s time to make sure you’re compliant.
Keep the guidelines outlined above in mind so you can abide by the new guidelines and avoid having your business penalized. It might seem overwhelming at first. The sooner you take action, though, the better off you’ll be.