The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) became law on January 1st 2020 in the state of California and places additional legal requirements on businesses and organizations when it comes to handling data. The law is comprehensive with a number of detailed statutes reflecting today’s new digital age, and how valuable data has become. CCPA gives consumers new powers and rights when it comes to their data, which businesses must comply with in order to avoid being fined or found in breach of its provisions. Some of the statutes include:
- Consumers right to receive information on privacy practices and access information.
- Consumers right to deletion.
- Information required to be provided as part of an access request.
- Consumers right to receive information about onward disclosures.
- Consumer right to prohibit the sale of their information.
- Price discrimination based upon the exercise of the opt-out right.
Business compliance and impact
Businesses affected by CCPA include those which hold or collect personal data from consumers, and are doing business in the state of California. There are three thresholds which organizations will fall under when considering if CCPA applies. These are:
- If the annual gross revenue of a business exceeds $25 million.
- If buying or selling personal information of more than 50,000 individuals.
- If earning more of half its annual revenue from the selling of people’s personal information.
In alignment with CCPA, businesses are expected to implement data security practices that can support the protection of consumer data across its organization – where consumer data is being handled.
See our Data Destruction Auditor to learn more about data auditing.
Business processes required under CCPA
Businesses adhering to the CCPA must implement the following processes to be compliant. If they fall within one or more of the compliance thresholds then CCPA will apply:
These are:
-
- Implementing parental or guardian consent for children (minors) who are under the age of 13, and ‘affirmative consent’ for minors who are aged between 13 and 16 – in relation to data sharing processes.
- A clearly defined link on the home page of the website of the business providing a “Do Not Sell My Personal Information” link where users visiting that website are able to opt out of the selling of their personal data.
- New privacy policies which include a description of California residents’ rights.
- A point of contact for website visitors that allow them to access their data.
Fines and sanctions that can be imposed under CCPA provisions
- If a business suffers data theft or a data breach, it can be ordered to pay statutory damages in civil class action lawsuits and asked to pay up to $750 per incident and resident (residing in California).
- Financial penalties of up to $7,500 can be issued for intentional data violations and $2,500 for unintentional data violations.
Signed by Governor Brown in June, 2018, and enacted on January 1st, 2020, the California Consumer Privacy Act enhances consumer protection and holds businesses to account that do not protect data, or suffer from data breaches where consumer information is accessed without consent.