California Consumer Privacy Act: What you need to know to be compliant

Dec 12, 2019 8:08:00 AM

CCPA Compliance Blog-01

With the rise of big data, there has been increased attention of proper data privacy practices. In addition to the EU’s own General Data Privacy Regulation, states in the U.S. have begun to enact their own data privacy laws, including Nevada, Ohio, and California. California’s CCPA will be enacted into law on January 1, and despite popular opinion, has different requirements that the GDPR.

Below we give you the run-down of the regulation: who needs to comply, what to expect as a business, and how to ensure that you aren’t facing penalties of non-compliance.

What is CCPA?

CCPA, or California Consumer Protection Act, is legislation designed to improve the data privacy of California residents. In essence, it gives citizens the right to know when and how their information is being collected and sold and the ability to opt out. It also grants them legal right to the same service and price of service whether or not they exercise their privacy rights.

CCPA comes on the heels of GDPR (General Date Protection Regulation), and a host of other state-enacted privacy laws that reflect the public’s growing concern with data privacy abuse.

Who must comply with the CCPA?

The CCPA is specifically geared towards for-profit businesses that collect, share or sell California consumers’ personal information, and meet one or more of the following criteria:

  1. Has annual revenues of more than $25 million;
  2. Collects, sells, or shares the personal information of 50,000 or more consumers, households, or devices;
  3. Earns 50% or more of its annual revenue by selling consumers’ personal information.

That is, whether or not your business is based in California, as long as it does business with Californians, it is subject to the CCPA. Further, any business that controls or is controlled by a company that meets one or more of the above criteria is subject to CCPA.

What are the requirements for CCPA?

The CCPA gives consumers rights to know who is collecting information about them, what information is being collected, and the ability to opt out of their data being collected. Businesses must adhere to these requirements by giving consumers the following rights:

The right to disclosure

Business must disclose when they collect and sell information about a user, to whom they sell it, the specific pieces of information they collect and sell, and the purposes for which they collect and sell it. Businesses will have 45 days to provide specific information about information collected when a consumer makes a request for the information. Businesses have to give users 2 ways of requesting the information the business has/has disclosed within the past 12 months. (e.g., link, email address, phone number to contact).

The right to delete their data

Businesses must notify consumers that they have the right to request that their data be deleted. Business must comply and also require that their third-party data collectors also delete their information and ensure compliance with their data deletion request.

The right to opt-out

Businesses must notify consumers that they have a right to opt-out of data being collected and sold and actually follow through. In addition to a general opt-out link, they must provide a link specifically titled, “Do Not Sell My Information.”

The right to non-discrimination

Consumers who request that their data be deleted or who opt out of having their data collected and/or sold have the right to get the same service at the same cost.

Business must also have a privacy policy

Like the GDPR, CCPA requires businesses to have a privacy policy in which they must include:

  1. The consumers rights
  2. Ways consumers can submit requests
  3. Categories of personal information collected within the last 12 months.

How to prepare for CCPA

To ensure compliance with the CCPA, businesses must provide proper and thorough notice of all the activities they will be undertaking with their data collection practices. In addition, businesses need to:

  1. Have an up-to-date privacy policy that outlines all the disclosures listed above
  2. Be able to track versions of privacy policies and maintain proof of individual user consent
  3. Provide two or more methods by which consumers can request the data that a business has collected or sold
  4. Provide an opt-out link that explicitly states, “Do Not Sell My Information.”
  5. Revise third-party agreements (e.g., Data Processing Agreements), and track acceptance of the updated agreements to ensure third-party compliance.

What are the penalties for non-compliance?

The Attorney General

Non-compliance with CCPA comes with financial penalties. According to the CCPA, the Attorney General can exact a maximum fine for intentional non-compliance (i.e. purposefully ignoring the mandates of CCPA) of $7500 per violation. Meanwhile, unintentional non-compliance (that is, failing to encrypt user data that was accessed during a breach) carries a fine of $2500 per violation. This means that any non-compliance event affecting multiple consumers will carry a fine of up to $7500 or $2500 for each violation.

Consumers' Private Right of Action

Additionally, consumers themselves can bring a private right of action in the event of data breaches from non-compliance. Consumers can sue the company for statutory damages if they failed to implement reasonable security measures and that failure lead to an unauthorized disclosure of their personal information. The consumers have to notify the company as to what provisions of the CCPA the company violated and give the company 30 days to fix it. But if the company fails to fix it, they are subject to statutory damages between $100-750 per consumer affected. So for a class action lawsuit arising out of a data breach (which is already very expensive without a consumer suit), the company could have to pay out an additional large sum.

Take Anthem, for example, which affected roughly 13.5 million Californians. Under CCPA, they would owe between $1.35 billion and over $10 billion in statutory damages under CCPA in addition to other data breach costs.

How can PactSafe help?

PactSafe can help businesses track consent to updated privacy policies, terms and conditions, and CCPA-mandated disclosures. Additionally, PactSafe can help businesses track opt ins and opt outs of data disclosures, quickly push updated privacy policies, terms of service agreements, and third-party agreements for consumers or vendors to acknowledge or accept with a simple click of a button. 

For a quick overview and a handy guide to getting and staying compliant with CCPA, download the CCPA readiness cheat sheet!

Download the CCPA cheat sheet

Related:

Preparing for CCPA: Best practices

CCPA vs GDPR: Key differences in the privacy regulations

 

Gizelle Fletcher

Written by Gizelle Fletcher

Gizelle leads the content team at PactSafe. She's driven by content that relays the significance of technology in legal departments and is always look at how consumer behavior influences new technologies.