It Started in California: California Consumer Privacy Act (CCPA)

California plays by its own rules—it’s something you can do when your state GDP is bigger than every country outside of China, Japan, and Germany. It’s the reason that sellers across the US put Prop 65 warnings on products by default. Though Prop 65 hasn’t done much more than lined the pockets of attorneys, it goes to show that if you’re doing business in the US, you have to play by the unique rulebook the state has created.

This is no more prevalent than the California Consumer Privacy Act (CCPA) of 2018. One of the toughest privacy laws in the US, the CCPA has changed the way companies need to think about the data they have about customers and has encouraged other state legislatures to do the same.

Naturally, some companies have decided to adopt this standard nationally; for example, Microsoft found it easier to honor the state’s law for everyone in the US. So, with the law now in effect, what should you know about it?

January 2020: CCPA Took Effect

Enacted in 2018, the California Consumer Privacy Act (CCPA) took effect in January 2020. Written to give users more control over their data, the CCPA creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.

Much like the European Union’s General Data Protection Regulation, the Australian Data Privacy Regulations, or even the Canadian Anti-Spam Law, you may run afoul of the law without trying to do so. In this, it’s important to know your responsibilities even if you don’t operate in the state.

Rights Granted by CCPA

According to its fact sheet, the CCPA grants the following rights:

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
  • The right to delete personal information held by businesses and by extension, a business’s service provider;
  • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

Is My Business Subject to CCPA Rules?

If you have personal information of 50,000 or more consumers, households, or devices, have an annual revenue in excess of $25 million, or derive more than half your revenue from the sale of information, you may have to abide by the rules.

If You Have Data about One California Resident, You Need to Comply

That’s all it takes—one record. If you meet any of the criteria listed above and one of the 40 million California residents is in your databases, you need to play by the rules of the state.

According to Help Net Security, “any business in the U.S. that has the personal data of a California resident will have to identify all categories of the data which they possess. Further, these organizations must be able to provide a full report — within 45 days of user request — of what exactly they do with this data. This includes not only the specific categories of data, but also why they possess it and who they sell it to or share it with.”

Trending: More Places Using CCPA as Framework—Federal Law Coming?

Just as the CCPA was created out of enthusiasm for the GDPR, other states have pushed their own versions of the CCPA. Washington released their own privacy law, New York has taken the CCPA further,  working on a law that imposes fiduciary responsibility on any entity that collects data about a New York Resident, and states like Massachusetts have had predecessors to the law. Learn more about the different state laws here.

How to Reduce Exposure: Becoming Compliant with CCPA Rules

If you deal in data and have records that would subject you to the CCPA rules, you may have to take a few steps to prepare. Luckily, if your company has already come into compliance with GDPR rules, you likely don’t have much to do.

Here are a few tips to reduce your exposure:

  • Map Inbound and Outbound Data Flows: You need to know what you know, how you got it and where it’s going. By mapping how incoming and outgoing data flows, you will gain an understanding of specific data types and be able to communicate it with users. Consent is a critical element of GDPR, CCPA, and other privacy regulation compliance, and understanding how you got the data is important.
  • Coordinate with Vendors: Any third-party company who processes data on your behalf might expose you to risk. Make sure that the right terms are in place to ensure everyone is in compliance with GDPR, CCPA, and more.
  • Use This as an Opportunity to Identify Customer Concerns: Do customers have issues with the information you keep? Even if compliance is your top priority and you only work to lock down California residents’ information, this is a great opportunity to show your commitment to every customer’s privacy too.
  • Develop Policies and Procedures: Consider this the earliest drizzle coming before a downpour of laws. Develop an internal process and solution to meet your customers’ needs that also complies with the intent of the framework of the regulation. Also devise a public compliance message such that your customers will be able to find a definitive compliance statement.