CCPA compliance became a hot topic for anyone with business in California (physical or online) within just the last year or so.
As governments grow aware and critical of how companies use (and sometimes, misuse) consumer data, data privacy laws are becoming more prevalent. Beginning in January 2020, certain businesses operating in California were required to comply with the California Consumer Privacy Act of 2018 (CCPA). CCPA Compliance depends on several factors, including the location of the business, its gross revenue, and whether it makes a profit from buying or selling the personal information of California residents. These requirements can also include businesses that aren’t located in California but do business online.
Wondering if it applies to you? You’re not alone. Since the law passed in 2018, many organizations have expressed their confusion over the scope and extent of the CCPA. That’s why we’ve compiled this helpful guide. Here are the basics you need to know about the CCPA and how to achieve compliance with it.
What is the CCPA?
The CCPA is a landmark law that gives California consumers significantly more control over how businesses collect and use their personal information. It applies to any for-profit business operating in California that meets any one of the following conditions:
- Has a gross revenue of $25 million annually
- Buys, receives or sells information of 50,000 or more California residents
- Derives at least 50 percent of their annual revenue from buying or selling the personal information of California residents (think data brokers)
Consumer Rights Under the CCPA
The CCPA grants California residents many new rights regarding the control of their personal information. CCPA compliance is tied to making sure your business has the proper notices and procedures to respect these rights. Consumers have the right to:
- Ask companies about the personal information they’ve collected and what they’re doing with it.
- Refuse to allow personal data to be sold or shared for business purposes.
- Sue companies that violate the CCPA or that experience data breaches.
- Access and download their personal information.
- Demand the deletion of personal information collected from them.
- Require the opt-in of parents or guardians of children under 13 before their data is collected or sold.
- Exercise their rights without discrimination.
GDPR vs. CCPA Compliance: What’s the Difference?
The CCPA and the EU’s General Data Protection Regulation (GDPR) both fall into a similar class of data privacy laws. However, they differ in both their scope and the rights they afford consumers. Notably:
- The CCPA applies only to California residents and organizations doing business in California. In contrast, the GDPR applies to any organization that processes the personal data of European citizens and residents no matter where they’re located.
- The CCPA uses opt-out as the basis for consent. The GDPR, on the other hand, requires opt-in.
- The CCPA requires certain privacy notices (such as “notice at collection” and a privacy policy). But it does not require the kind of “cookie banner” that many businesses use on their website for GDPR compliance.
- The CCPA’s penalties cap at $7,500 per record for each intentional violation ($2,500 for each unintentional violation). The GDPR’s penalty caps at 4 percent of the company’s annual revenue, or $21 million – whichever is greater.
- The CCPA may exclude some small businesses. The GDPR includes all businesses no matter the size.
5 Key Things to Maintain CCPA Compliance in Your Business
Achieving and maintaining CCPA compliance in your business will require you to review your current policies around data collection, storage, and use. We recommend that you:
1. Review Your Data Security Procedures and Practices
The CCPA requires businesses to “implement and maintain reasonable security procedures and practices” but doesn’t outright define what this means. Some things you can do include:
- Implementing a security framework. A security framework, like SOC 2 or CIS Controls, can improve overall cybersecurity and protect consumer data.
- Conducting a pen test. A penetration test can help you identify and shore up vulnerabilities in your current infrastructure or strategy.
- Investing in a security management platform. A centralized security policy platform, with support for CCPA compliance, can ensure that your policies are up to date and compliant.
2. Provide Staff Training for Handling Personal Information
The CCPA allows consumers to demand businesses take specific actions regarding their personal information, including handing it over or deleting it. For CCPA compliance, you’ll want to make sure you have developed policies and procedures to support these demands, and that your staff knows what to do when they arise. Include in your training:
- How to identify what is personal information under the CCPA
- What legal responsibilities a company has under the CCPA
- How to handle a suspected breach
3. Assist Consumers with Exercising Their Rights Under the CCPA
You’ll need to provide a way for your consumers to exercise their rights under the CCPA. The exact method this takes will depend on your company and its infrastructure. You may:
- Include conspicuous banners or pop-ups on your website that inform California residents of their rights and allow them to opt-in or opt-out of data collection.
- Create forms or provide contact information for fulfilling consumer rights requests.
- Automate processing customer requests to accelerate the handling of requests.
4. Implement a Process to Comply with the Look-Back Requirement
Although the CCPA doesn’t explicitly mention “look back” in its language, a 12-month retroactive requirement does exist. When a consumer requests to access their personal information, you must be able to provide records covering the one-year period preceding the date of the request.
If you haven’t already, create a data inventory using a classification method to identify what personal information falls under CCPA compliance requirements. Keep this on hand in the event of requests.
5. Update Your Website
Many websites now include banners, links in the footer menu, or other features that allow users to opt-in or opt-out of the various data collection processes that businesses use. If you haven’t updated the company website to reflect this, you should do so now. Make sure that these links are:
- Conspicuous. People shouldn’t have to look for them.
- Clear. Use plain English and provide important information in a readable format. In some cases, you may have a requirement to label a link with CPPA-specific language such as the “Do Not Sell My Information” requirement.
- Concise. Avoid long-winded disclaimers that hide important information. State what needs to be said and nothing else.
Stay CCPA Compliant with Carbide
For-profit California businesses that meet one of the three conditions mentioned earlier in this article are now required to achieve CCPA compliance. Don’t wait until a consumer comes along and discovers that they have no way to exercise their rights. Update your policies and procedures now to protect yourself from lawsuits and data breaches.