In 2020, California (CA) saw the arrival of a new data protection law. It is called the California Consumer Privacy Act (CCPA), and non-compliance can cost you $7,500 per customer.
The Act grants Californians the right to access and manage their personal information. This is the first data privacy legislation with such far-reaching implications in the States, so it raises many questions on how to comply with it. We will answer them in this article.
In general, the Act regulates those organizations that do business in California and process a large amount of client data. More specifically, there are three conditions—even if a company meets only one of them, it falls under this law:
While the Act mostly applies to large and medium businesses, small companies and startups can still face the need to comply with it. For instance, if you have an app through which 50,000 people register their names, your company automatically falls under this legislation.
Before diving deeper into the general requirements, let’s go through the key terms on which the CCPA is based to ensure the correct interpretation of the law.
Personal information. Under the CCPA, personal information is literally everything that a company holds on its customers. It is not only their names or locations, but also IP addresses, cookies, and even behavioral patterns that are deduced from user web engagement.
Doing business in California. The Act applies to all organizations that fall under this scope, regardless of their location. Imagine you have a business in Europe, but some of your clients are from California, does the law apply to you? Well, if you only occasionally have some business in the state, it does not. However, if you operate in California and receive a profit of at least $500,000 annually, you have to comply with this law.
Selling customers’ personal information. The Act regulates all activity involving customers’ data that brings you profit, ranging from oral transmission of data to creating targeted ads. However, the CCPA does permit various operations with data if it is made anonymous. For instance, Facebook makes a profit from offering targeted ads from other companies to its clients. However, Facebook’s actions do not fall under the term “selling” since the platform does not disclose people’s personal information to partners.
So if you do fall under this legislation, what are your next steps?
The major goal of the CCPA is to secure consumers’ privacy and allow them to control their own information. Thus, the main requirements are concerned with letting customers manage their data how they want to, including allowing them to delete their data or withdraw permission for its sale.
Our legal department at Sumsub has been preparing for the Act for several months, and although the topic is extensive, we would like to share with you the main requirements of the CCPA. Here are the major steps that a company should take.
Access for consumers to their own data. If a client requests to know what personal information is held, businesses have to acknowledge the request within 10 business days and send the information within 45 calendar days free of charge. Companies must never disclose sensitive information written in any documents or financial accounts (SSN, credit card number, etc.), even if the owner of the data requests it. Further, before sending personal information, a company must verify the customer’s identity, but there are no specific requirements for the verification format.
Option to opt out. Consumers can demand that businesses stop selling their personal data. Indeed, companies should provide at least two options for clients to opt out from its sale: a toll-free number and a link labeled “Do Not Sell My Info.” This link brings customers to a webform via which they can withdraw from having their data sold.
Businesses must fulfil the opt-out request within 15 business days, and no verification is needed.
Usually, the CCPA does not require companies to ask consumers’ permission to start selling any personal data. However, when a company deals with a person between 13 and 16 years of age, it must get their consent to opt into the selling of their data. Further, if a customer is younger than 13, a business needs to obtain the permission of their parents.
Option to remove the data. Under the Act, consumers have the right to have their personal data deleted. Businesses should provide clients with two or more options to do so (a webform and a toll-free number). A business has to verify the identity of the customer to fulfil the delete request. If verification is not possible, the company can offer to handle the delete request as an opt-out request instead.
Declared categories of third parties. The CCPA requires companies to reveal the types of third parties with whom they share their customers’ data. These categories distinguish between all business partners, from service providers to marketing analytics companies.
The purpose of collection. Businesses have to explain why they are collecting the personal information: is it for detecting fraud or for quality control? The new law grants consumers the right to know.
The Act requires businesses to set out all the information about categories of data, categories of third parties, and the purpose of collection in special “notices to consumers”. These notices are unique to the CCPA, so let’s talk about them in detail.
If prior to the CCPA, businesses were required to develop their own data policy, now they must also create three different notices to customers. Let’s go through them.
Notice at Collection of Personal Information. This notice informs customers about the categories of data that a company collects, categories of third parties that data is shared with, and the purpose of the collection.
Notice of Right to Opt-Out of Sale of Personal Information. The notice tells customers that if they want to withdraw permission for the selling of their information, they can do so. Also, in this notice, you should provide a webform via which consumers can opt out.
Notice of Financial Incentive. If a company offers a financial incentive for obtaining consumers’ data, it must first receive an opt-in consent to sell the data. Besides, the company has to create the notice on financial incentive and provide the estimation of the value of consumers’ data and how it was calculated.
That concludes our discussion of the general requirements. Now let’s talk about how the Act deals with those who are not compliant.
Under this law, penalties can fall under two categories: law violations and data breaches.
Law violation. There are two types of law violations: intentional and unintentional. A fine of $2,500 may be imposed for those that are unintentional. If a court decides that a violation was intended, a business receives a fine of $7,500. All these penalties are per customer per violation. Now imagine that you have millions of clients!
Time to eliminate the violation. After a company receives a notice of violation, it has 30 days to take corrective action. Businesses only get fined if they fail to do so.
Data breach. Under the CCPA, consumers can get compensation of $100 to $750 for data breaches, or they can receive even more if the actual damage incurred is higher than the mentioned amount.
The Act is a big step forward in protecting the data privacy of Californians. We cannot cover all the nuances of the CCPA in a single article, so it is always advisable to hire a consultant or to look through the Act and the Regulations yourself. However, because the law is so new, some points still remain debatable. We hope all of them will be cleared up by June 2020, which is when the Californian government has scheduled the law to come into force.