CCPA (California Consumer Privacy Act) Explained
What is CCPA?
The California Consumer Privacy Act is a consumer privacy legislation which passed into California law on June 28th of 2018. The bill, also known as “AB 375,” has been described by some as “GDPR of the US.” This act is one of the strongest privacy legislation enacted in any state now, giving more power to consumers in regard to their private data.
It’s just a matter of time before other states will follow suit in the coming years, companies across the U.S. that take proactive steps today to better protect consumer data will be best equipped to ride the waves of change.
Is your business impacted by CCPA?
These are the three key articles in the law which explains if a business is impacted by CCPA:
- For-profit entities which do business in California and collect personal information of consumers.
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
What is the scope of ‘Personal Information’?
An important term loosely defined in the bill is “personal information.” According the AB 375, “The bill…would define ‘personal information’ with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information.”
Dozens and perhaps hundreds of specific data items are mentioned in the legislation, including:
- Biometric data
- Household purchase data
- Family information (e.g., how many children)
- Geolocation
- Financial information
- Sleep habits
What are the rights of a California Customer?
- General Disclosure: If a business (as defined by the bill) collects any type of personal information, this should be disclosed in a clear privacy policy available on the website of the business.
- Information Requests: Should a consumer desire to know what data is being collected, the company is required to provide such information — specifically about the individual. Some of the requests that can be made include:
- The categories of personal information collected
- Specific data collected about the individual
- Methods used to collect the data
- A business’ purpose for collecting the information
- Third parties to which personal information may be shared
- Deletion: If the consumer desires, personal information (with exceptions) will be deleted by the business.
- Opt Out – The customer has the right to have the business stop disclosing/sharing/selling their personal information to any third party.
- Same Service: Regardless of a consumer’s request and preferences about how their personal information is handled, businesses are required to provide “equal service and pricing…even if they [consumers] exercise their privacy rights under the Act.”
How to comply with CCPA?
There are many steps a business must perform to comply with all facets of the law.
- Organized Data Collection: Business first need to know where all their customer information resides and should be able to categorize and classify this information based on personal and sensitive data attributes
- Clear, Transparent Policies: Consumers can request a report on the types of data collected, data sources, collection methods, and uses for their data. While the data itself needs to be stored in a well-constructed database, many consumer questions can be quickly answered in comprehensive privacy and data collection policies.
- Knowledge of Specific Provisions: There are clearly outlined requirements within the California Data Privacy Protection Act including things such as:
- “Provide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page…”
- Ensure any individuals who handle consumers’ private data know and understand all pertinent regulations.
- Ability to honor customer requests: There are many approaches to handle this. The most rudimentary is providing an email address for the customer. This is a very manual process and has the most chance of oversight and failure. A web or application-based form to gather and store this information in a database is the most effective process.
- Orchestrated workflows – the companies most prepared, have a process to automatically find customer information and deliver it to customers. More importantly be able to delete customer information based on their requests in a timely and effective manner. This is usually the hardest ask for a customer but the most effective way to honor the mandate.
Conclusion
CCPA is the first of probably many steps that companies have to be prepared for with respect to consumer data privacy. It is well worth investing in building processes and automation around finding and categorizing customer data.
Having half-baked solutions or manual solutions will create a lot of churn and manual labor at best and at worst will cause omissions and errors which could cost the company millions of dollars in fines.
It is advisable to work with solution providers who have solved this problem before and have a frameworks and solutions that can be easily reproduced.