Inspired by the GDPR, the California Consumer Privacy Act of 2018 (CCPA) is the toughest data privacy law in the United States to date, but Clym can help make your website compliant easily and stress free.
Effective January 2020, the law will significantly impact the way businesses collect and process personal data by expanding the California consumer rights in terms of data privacy.
The CCPA considers to be personal information any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
A business may not need to be located in California to be subject to the CCPA.
CCPA provides consumers with the following rights:
CCPA has been described as the strictest user rights and data privacy law ever enacted in the US, and it applies to businesses located both in and outside of California. Beginning January 1, 2020, CCPA provides protections for only California residents, but other states are considering legislation similar to CCPA.
CCPA was enacted to accomplish three primary goals for California consumers and their data (including but not limited to name, birthday, address, phone number, geographic location, and others):
a) Give consumers the right to know what information companies are collecting about them;
b) Empower consumers with the right to tell a business to not share or sell their personal information; and
c) Impose fines and consequences for businesses who fail to follow CCPA
The following types of personal information are exceptions from the CCPA's requirements:
The CCPA must not restrict a business' ability to:
Businesses found to be out of compliance with CCPA can face harsh penalties. For starters, if a business fails to remedy an alleged noncompliance within 30 days following notification from the state, your business could be charged a civil penalty of $7,500 per violation.
Additionally, any business found to be out-of-compliance with CCPA can face penalties of up to $750 per violation, per user. This multiplier could make the penalties HUGE. Additionally, the CCPA allows consumers to file lawsuits for privacy lawsuits, meaning that a company could face litigation and damages from individual consumers!
Right to know
By consumers’ request, businesses must disclose what personal information they collected, why they have collected it, how it is used and who else has access to it.
Right to delete
Under the CCPA, a consumer has the right to request the deletion of any personal data that an organisation has collected about that customer.
Right to opt-out of sale
Consumers have the right to request businesses that they stop the selling of their personal information to another business or third-party.
Right to non-discrimination
This right protects consumers against discrimination after having exercised their rights under the CCPA, ensuring they will not be treated differently.
Private right of action for security breaches
Consumers whose non-encrypted personal information was subject to unauthorised access, theft or disclosure are granted a private right of action.
Prior to CCPA, there was minimal meaningful regulation regarding the sale and transfer of consumer data. Many companies collected and sold consumer data without consumers’ knowledge, and generated enormous revenues from doing so.
CCPA attempts to regulate these transfers and provide consumers more control of their data.
For more information about how Clym can help, visit our Features page. There are four primary components to CCPA compliance: Identify, Define, Protect and Manage. Clym can help with all four:
a) Identify: Identify, label, classify (or categorize), and index the personal information that you collect and store on all individuals (not just California consumers).
b) Define: Establish appropriate data governance policies and processes to ensure compliance with CCPA requirements. Ensure you have adequate procedures in place (and automate as much as possible) with your website to respond to the various consumer rights that consumers can exercise under CCPA. In most cases, businesses only have 45 days to respond to verified requests from consumers.
c) Protect: Help you implement the “privacy by design” and “privacy by default” principles and the data minimization requirement, similar to what’s required under GDPR.
d) Manage: Compliance is not a one-time activity; it requires ongoing management to be successful. Everyone in your business needs to understand what CCPA specifically requires of them in their individual job roles; Clym makes this easy and affordable.
Is CCPA here?
CCPA is here; it was passed as a law in 2018 and became effective on January 1, 2020 (Happy New Year, California!).
Is CCPA a law?
Yes, CCPA is a law that was enacted by the state of California (officially, it's called Assembly Bill 375) and it was passed by the legislature in 2018.
Is CCPA finalized?
CCPA is finalized and in effect, however the state of California is continuing to provide guidance regarding the regulation, and is not bringing enforcement action for CCPA violations until July 1, 2020
Is CCPA similar to GDPR?
Yes! Much of the CCPA was modeled after GDPR, though there are some significant differences between the regulations.
Is CCPA constitutional?
The courts have not yet addressed that matter, however legal experts have stated that courts will likely have to determine whether CCPA's cross-border implications violate the dormant commerce clause, and whether the vague definition of “personal information” is unconstitutionally void. Stay tuned!
What rights does CCPA give to CA residents?
CCPA provides five primary rights for CA residents:
1) the right to access specific personal information that has been collected within the last 12 months about the consumer;
2) the right to be notified about the types of information and the purposes for which the information will be used
3) the right to request a copy of the personal information that is collected in a portable and easily readable format.
4) the right to be forgotten; and 5) the right to restrict processing (“opt-out”) of personal information subject to some limitations.
Make sure your policies and procedures include information about California consumer rights, how they can submit requests related to these rights, what personal information you have collected in the past 12 months, how it was collected and for what purpose.
Additionally, you must also mention what personal information categories you disclosed or sold to any third parties in the last 12 months.
Inform your users before or at the point of collection about what categories of personal information you are collecting about them and for what purposes.
Don’t collect any other information or use it for other purposes than the ones presented to the consumer. Enable them to easily opt-in or out of cookies.
Inform your Californian consumers on how they can submit requests for access and erasure and enable them to opt-out of the sale of their personal information to a third party.
Create a request management system for handling consumers’ requests in a timely manner and to respect the applicable timeframe.
Before disclosing any information, make sure you verify the identity of the consumer making the request. In doing so, you need to provide data subjects with a way of doing this.
Under the CCPA, you have the obligation to ensure the security of consumers’ data and to prevent unauthorised access to their personal information through reasonable privacy and security practices.
When receiving a disclosure request, you must provide the information for 12 months back, which means you need to properly map the personal information you collect.
To really stay on the safe side, make sure you keep records of compliance to be able to prove you respected California consumer rights and the CCPA’s requirements overall.
Managing data privacy made easy. These are the complementary tools that help us cater your compliance needs.Learn More about our Privacy Widget
See you on the safe side