Data Privacy for Business and Individuals

Your Guide to the CCPA – California Consumer Privacy Act

What is the CCPA?

The California Consumer Privacy Act is a framework of legal guidelines for collection and processing of personal info of individuals who reside in the state of California. Or, in short, it’s a set of rules that companies need to follow to collect and protect a user’s data. As of January 1st, 2020, any company that handles California residents’ data must comply with CCPA.

The CCPA defines a company as an entity that has one or more of:

  • Annual revenue exceeding $25M USD
  • Handles data from more than 50K devices
  • Makes more than 50% of their revenue off of re-selling of personal data

New Security and Privacy Features

The regulation was created by the California State legislature. It’s basis was to help inform users of how their data is collected, how is it being used, and most importantly, how they can opt of out of any processing they do not agree with.

Here are 5 highlights from the regulation:

Right to be forgotten – Similar to the European GDPR (General Data Protection Regulation), the CCPA allows individuals the right to retract their data from storage or processing, from any company at any time. When the Cambridge Analytica scandal broke with Facebook in 2018, people wanted to delete their accounts but there was no regulation to dictate that that Facebook had to delete their data as well. This ruling would have forced both Facebook and Cambridge Analytica to delete the data they had on any qualifying individual that requested it. Note: This right is not an opportunity to have unflattering articles or reviews removed. The rule allows for personal mentions if they fall under freedom of expression, public interest, public health, or research.

Right of Access – This is your right to ask a company for up to 12 months of your personal data. They are obligated to response to this request within 45 days and deliver your data to you in a readable format, at no cost to you.

Opt Out and Consent –  Companies must now include a specific Opt out option with a visible checkbox that says “Do not sell my personal information”.

There is also a list of specific pieces of information about processing that must be available to all users. The simplest way to satisfy this right is to put all the information in your Privacy Policy.

Right not to be discriminated on Processing – Remember those “no purchase necessary” taglines on contests? This is the equivalent. If you opt out of having your data resold or processed by third parties, the company must continue you to provide you with the same products or services as everyone else.

Additionally, companies cannot discriminate on pricing based on personal information. All users must be offered the same product/service for the same price. There was a practice where websites offering travel services may mark up prices based on the type of laptop you are using to do the search. This practice will be banned under CCPA.

Direct Legal Action – For most global privacy regulations you need to file a complaint with the local data privacy authorities. For CCPA, individuals have the ability to sue companies directly if their rights are not being met.

For Businesses and Corporations

If your company prepared for GDPR (General Data Protection Regulation), you will be largely organized and ready to handle CCPA. If not, the two biggest areas you will need to implement will be management of user requests (data access, data rectification, and data deletion) as well as consent management (ensuring users have opted in to selling of data and you are tracking that action).

These tasks can be done manually but if you are a larger company it is well worth investing in tools that can collect requests and do the tracking automatically.

Global Privacy Regulation Compliance is largely what WE do as a company. From DIY checklists to templates to having us do it for you, contact us for more information on how we can help.

For Small Business, Charities, & Clubs

Unfortunately even small businesses, groups, not-for-profits, and charities fall under these regulations. If you run or are part of a group that collects information (newsletters, databases, list serves, forums, etc.) then this could apply to you. Fortunately most of the individual tools that small business uses, like cloud servers, Newsletters, and CRMs, have updated their terms to comply.

What you should do:

  • Make a list of all of the software and services you use (good to have this anyway)
  • Consider each one for data collection, storage, and processing
  • For those that do, type the name of the service and ‘CCPA’ in to Google for instructions

More Help and Information

More information on CCPA can be found on the State of California page for the Office of the Attorney General.

For a full picture of what compliance looks like for CCPA, download our FREE Global Regulation overview page of all ten areas on which you need to focus.

If you want help from our consultants, have any questions or find something we’ve missed let us know!

Download PDF

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.