As we enter the year 2020, the way organizations go about their business and the extent to which their consumers’ personal information is available to them are two subjects that are under extreme scrutiny.
Data privacy and data security have been at the forefront of discussions over the last couple of years. The General Data Protection Regulation (GDPR) brought in a wave of change in May 2018 on this front. However, it was primarily applicable to businesses operating within the European Union or those having customers in the EU.
The California State Legislature passed a similar bill in June 2018. Post amendments, the act has been brought into effect at the start of this year, on January 1, 2020.
An Introduction to the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is a statewide statute and is also referred to as AB-375. While this is a state law, it has several larger implications for the rest of the United States, too.
Passed with a view to bolster privacy and protect consumer data, the CCPA is revolutionary in many ways. Read on to learn more about this act and its implications on how you handle customer information.
CCPA – What You Need to Know About Compliance, Provisions and Requirements
As a for-profit organization or enterprise that conducts business in the state of California, it is essential that you read up on everything there is around this revolutionary act. So, why should you care about this act? The California Consumer Privacy Act applies to businesses that fall under any of the following category or type:
- An entity that has gross annual revenues of over $25 million
- A business that deals in the buying or selling of 50,000+ Californian consumers’ personal data
- A business that earns over half of its annual revenues through the selling of Californian customers’ information
If the above applies to your business, you must adhere to the provisions in the AB-375. Here are the most important requirements for your business to fulfill according to the California Consumer Privacy Act:
- Streamlined data collection – The act requires businesses to put in place an organized structure and a streamlined process for collecting consumers’ personal data.
- Full disclosure – Businesses must disclose what information they are collecting, the purpose for this data collection and which third-party businesses they share it with. You are liable to disclose 12 months’ worth of data collected if a consumer requests disclosure or deletion (free of cost).
- The option to opt out – Businesses need to feature a visible and clear link on homepage that says ‘DO NOT SELL MY PERSONAL INFORMATION’. This link should not ask the customer to create an account in order to opt out.
- Underage customers – For consumers under the age of 13 years, it is imperative for businesses to sell their personal data only if authorized by their parents or legal guardian. For those between 13 and 15, a business must first take opt-in consent before selling any data.
What is personal information under CCPA?
According to the CCPA, personal information is:
Any information that identifies, relates to, describes or is reasonably capable of being associated with, or could be linked, directly or indirectly, with a particular consumer or household.
When we talk about “personal” information or data, it may include things like:
- Cookies
- Phone numbers
- Account names
- Driver’s license
- Passport number
- Social Security number
- Insurance policy number
- Credit card number
- Debit card number
- Bank account details
- IP addresses
- Pixel tags
- Geographical location history
- Internet browsing history
- Search history
- Personal preferences (sexual, religious, political, behavioral, etc.)
- Biometric information (facial recognition, retina, fingerprint, voice samples, etc.)
Other Important Things Businesses Must Remember About CCPA
- The consumer has the right to demand businesses to stop selling their personal information to any third party. In such a case, the business in question must avoid selling any user information or face heavy fines.
- The timeframe given to businesses to react or respond to an opt-out request is 15 days. They need to stop further selling of customer data in this period and also alert any parties who have bought such data in the preceding 90 days.
- You are required to include a two-step process for the deletion of customer information. The first step involves request submission and the second one is where the user agrees to the deletion of data.
- You should also update your privacy policy and include the aforementioned particulars in detail. You can also provide a tollfree number or link through which your visitors or buyers can avail these rights.
- Businesses must ensure that customers wouldn’t be penalized with price hikes or substandard service when they exercise their rights.
Am I CCPA Compliant If I Am GDPR Compliant?
The simple answer to that question is that GDPR compliance does not equate to being CCPA compliance. One cannot deny the fact that there are a few common factors that point towards the similarities between CCPA and GDPR. However, there are some key differences between the two under privacy disclosure, data collection, nondiscrimination, enforcement and more.
How is CCPA different than GDPR?
Here are the primary factors that make the CCPA different from GDPR:
- CCPA protects residents of California, whether or not they are currently in the state. GDPR safeguards EU residents.
- While there is no grace period for businesses under GDPR, the CCPA gives you time to rectify any violations and inform your consumers about it.
- CCPA refers to businesses in general, while GDPR makes a clear distinction between “data collectors” and “data processors.”
- GDPR’s financial penalties are applicable for non-compliance, whereas CCPA fines are only applied if/when a data breach happens.
Feeling overwhelmed with all this new information? Don’t worry, we have got you covered. While you focus on the business side of things, you can leave the website bit to us. Make modifications to your business website or build one from scratch with Qualdev.
With over 15 years of experience, Qualdev has served more than 400 clients across geographies and industries to deliver a suite of cutting-edge mobile and web apps, websites and digital marketing solutions. Get in touch with us to know how we can assist you or fill up this form to request a quote now!