2020 heralds in a new act: the CCPA, or California Consumer Privacy Act. But not to worry—we have a crash course highlighting the ins and outs of exactly what this means, when it’s in effect, who it impacts and what to do next.
What Is the CCPA?
The CCPA is the California Consumer Privacy Act. This is the state statute that was created and signed in June 2018 and went into effect on January 1, 2020.
The California Consumer Privacy Act serves to protect consumers’ privacy and data rights who reside in California by providing them complete transparency regarding how, when, and why businesses collect their personal information, including tracking and deleting information. In turn, businesses are mandated by law to inform consumers what data they are collecting and how it’s being repurposed. If these businesses breach, they are legally open to being sued by consumers whose rights have been infringed upon.
The CCPA, affectionately known as “The Act,” is one of the “strictest privacy laws” in the country regarding what Harvard scholar Shoshana Zuboff calls “Surveillance Capitalism.” The Act is strict for businesses but great for consumer privacy, putting “the capital P back in privacy,” according to the Attorney General via Associated Press.
As one of Guidance's clients has said, in going through the CCPA compliance process:
"CCPA has definitely been a disruptor for large companies like Hearst and has impacted our road map for the year. It was different from GDPR in that this exercise required us tracing our data to its source. That was eye opening for all of us. One of the benefits of this new legislation is that we terminated contracts, cleaned up our workflows and rethought who we do business with/how we do business. The more “uniform” your business is, the easier this exercise was for companies. It has encouraged us to rethink “one off” businesses, platforms and tech as it’s just another item to track."
--Jennifer McAuliffe, Director of Program Management
CCPA: What Does This Mean for Businesses?
If you’re a business owner, this new law requires you to update all disclosures, including informing your customers of the CCPA’s existence and their rights, including receiving equal service/pricing if they refuse collection. Consumers also have the right to obtain copies and/or demand deletion of their collected information.
If you aren’t sure if this impacts your business, here’s a quick rundown of rules that confirm application of the CCPA, according to the National Law Review:
- business is based in California
- business collects personal information
- alone or jointly with others determines the purposes or means of processing that data and includes at least one or more of the following:
a) annual gross revenue = $25 million+
b) shares, buys, sells personal info of 50,000+ consumers, households or devices for commercial purposes
c) derives 50%+ of annual revenue from selling consumer information
CCPA: What Does This Mean for Consumers?
Firstly, it confirms and upholds the fact that all California resident consumers “own” their private information. Everyone browsing and shopping online, by law, is privy to all behind-the-scenes actions of businesses in cyberspace.
Under the CCPA, consumers have the right to:1. know exactly what personal information has been collected, the collection
source, and purpose of use
2. know if their info is being sold/shared/disclosed and have the right to opt-out3. access all collected information and shared parties who have received it by
making a free request through a provided toll-free number or web link;
businesses have 45 days to disclose4. request that their collected personal information be deleted (some is exempt
from deletion if under legal hold)5. avoid discrimination if they exercise their right under the CCPA to not have
information collected, and should receive the same pricing and quality of
goods and services
Please note there are always exceptions in rights involving children and legal situations for consumers, and some loopholes for small businesses who may not meet the aforementioned rules. We recommend digging in deeper if one of those caveats applies to you and your family.
CCPA: Next Steps
Know what your “personal information” includes when you accept:
- Real name, postal address, email address, phone number, social security number, driver’s license info, and the like
- Employment and education information
- Geolocation data
- Audio, visual, olfactory, thermal, electronic data
- Biometric information, such as DNA and fingerprints, face recognition
- Internet browsing and search history
- Any information that may create profiles around your shopping preferences, personal characteristic, psychological behaviors, intelligence, and more
What about cookies? Although the CCPA doesn’t require websites to have a separate policy regarding information collected by cookies (the mini-files websites place on your smartphone, laptop and connected devices), you should always read the fine print when you get a cookie pop-up. Cookies can be very convenient for faster logins and saved passwords but it’s always good to know the price you pay for convenience.
If you wish to opt-out of having your personal information shared and/or sold, each business should have a link on their website that clearly indicates “Do Not Sell My Personal Information.”
The Attorney General’s website has various detailed documents, including the rulemaking process, activities, and scripts from public hearings. You can also subscribe to rulemaking notifications at that website to stay up-to-date.
If you’re a business operating in California that meets the criteria for implementing disclosures, you should:
- Update your policies to become compliant with the law
- Enable clear updates to your customers regarding their rights
- Give them a clear way to request their info from you
Need help with any of the above? Guidance can help ensure your business is CCPA compliant.
It’s no secret that the world is becoming exponentially more tech-based, meaning the rights of all people utilizing technology in their everyday lives will only get broader. Not only is it important for people to know their “cyber rights” and feel confident that their privacy is protected online, but businesses should also get prepared now by getting ahead of the curve in this new age. It’s wise to prepare for the inevitable.