With the rise of big data, there has been increased attention of proper data privacy practices. In addition to the EU’s own General Data Privacy Regulation, states in the U.S. have begun to enact their own data privacy laws, including Nevada, Ohio, and California. California’s CCPA will be enacted into law on January 1, and despite popular opinion, has different requirements that the GDPR.
Below we give you the run-down of the regulation: who needs to comply, what to expect as a business, and how to ensure that you aren’t facing penalties of non-compliance.
CCPA, or California Consumer Protection Act, is legislation designed to improve the data privacy of California residents. In essence, it gives citizens the right to know when and how their information is being collected and sold and the ability to opt out. It also grants them legal right to the same service and price of service whether or not they exercise their privacy rights.
CCPA comes on the heels of GDPR (General Date Protection Regulation), and a host of other state-enacted privacy laws that reflect the public’s growing concern with data privacy abuse.
The CCPA is specifically geared towards for-profit businesses that collect, share or sell California consumers’ personal information, and meet one or more of the following criteria:
That is, whether or not your business is based in California, as long as it does business with Californians, it is subject to the CCPA. Further, any business that controls or is controlled by a company that meets one or more of the above criteria is subject to CCPA.
The CCPA gives consumers rights to know who is collecting information about them, what information is being collected, and the ability to opt out of their data being collected. Businesses must adhere to these requirements by giving consumers the following rights:
Business must disclose when they collect and sell information about a user, to whom they sell it, the specific pieces of information they collect and sell, and the purposes for which they collect and sell it. Businesses will have 45 days to provide specific information about information collected when a consumer makes a request for the information. Businesses have to give users 2 ways of requesting the information the business has/has disclosed within the past 12 months. (e.g., link, email address, phone number to contact).
Businesses must notify consumers that they have the right to request that their data be deleted. Business must comply and also require that their third-party data collectors also delete their information and ensure compliance with their data deletion request.
Businesses must notify consumers that they have a right to opt-out of data being collected and sold and actually follow through. In addition to a general opt-out link, they must provide a link specifically titled, “Do Not Sell My Information.”
Consumers who request that their data be deleted or who opt out of having their data collected and/or sold have the right to get the same service at the same cost.
To ensure compliance with the CCPA, businesses must provide proper and thorough notice of all the activities they will be undertaking with their data collection practices. In addition, businesses need to:
Non-compliance with CCPA comes with financial penalties. According to the CCPA, the Attorney General can exact a maximum fine for intentional non-compliance (i.e. purposefully ignoring the mandates of CCPA) of $7500 per violation. Meanwhile, unintentional non-compliance (that is, failing to encrypt user data that was accessed during a breach) carries a fine of $2500 per violation. This means that any non-compliance event affecting multiple consumers will carry a fine of up to $7500 or $2500 for each violation.
Additionally, consumers themselves can bring a private right of action in the event of data breaches from non-compliance. Consumers can sue the company for statutory damages if they failed to implement reasonable security measures and that failure lead to an unauthorized disclosure of their personal information. The consumers have to notify the company as to what provisions of the CCPA the company violated and give the company 30 days to fix it. But if the company fails to fix it, they are subject to statutory damages between $100-750 per consumer affected. So for a class action lawsuit arising out of a data breach (which is already very expensive without a consumer suit), the company could have to pay out an additional large sum.
Take Anthem, for example, which affected roughly 13.5 million Californians. Under CCPA, they would owe between $1.35 billion and over $10 billion in statutory damages under CCPA in addition to other data breach costs.
PactSafe can help businesses track consent to updated privacy policies, terms and conditions, and CCPA-mandated disclosures. Additionally, PactSafe can help businesses track opt ins and opt outs of data disclosures, quickly push updated privacy policies, terms of service agreements, and third-party agreements for consumers or vendors to acknowledge or accept with a simple click of a button.
For a quick overview and a handy guide to getting and staying compliant with CCPA, download the CCPA readiness cheat sheet!