To kick off the new year, the California Consumer Privacy Act (CCPA) officially went into effect on January 1, 2020. This historic state-level privacy bill was unanimously passed and signed into law in the summer of 2018, and businesses are working to adhere to the requirements by the compliance deadline of July 1, 2020.
So are you positioned to be CCPA compliant? Keep reading to learn more about the CCPA, the requirements, and what you need to do to become compliant—no matter where your business is located.
What is the CCPA?
The CCPA is a ruling that protects the rights of the Californian consumer. If you’re involved in ecommerce, you’ve probably already dealt with the General Data Protection Regulation (GDPR) that took effect to protect the privacy of residents of the European Union last year. The CCPA takes a similar approach to privacy but is specific to California residents.
The CCPA gives Californians the right to:
- Know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- Delete personal information held by businesses and by extension, a business’s service provider.
- Opt-out of the sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information.
- Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
- Non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
Who does the CCPA affect?
Are you an online retailer? Then pay attention. If you think the CCPA won’t affect you because you’re not based in California, pay even closer attention.
The CCPA applies if you’re a for-profit entity, collect or control any information about a California resident, and meet any one of the following criteria:
- Have gross annual revenues in excess of $25 million
- Buy, receive, or sell personal information of 50,000 or more consumers, households, or devices
- Derive 50 percent or more of annual revenue from selling consumers’ personal information
- Handle personal information of more than 4 million consumers; which will require additional obligations
What is considered “personal information” under the CCPA?
Good question! If you’re wondering if the definition of personal information has changed under the CCPA, it has.
The CCPA broadens the definition of “personal information” to include any data that “identifies, relates to, describes, is capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
This expands the definition under California Law to include IP addresses, browsing history and internet search information, location data, work history, education information and more. The CCPA also specifies that any “inferences drawn” from personal information data to “create a profile about a consumer reflecting the consumer’s preference, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” constitutes personal information as well.
What can you do to be CCPA compliant?
Is your data a mess? Time to fix it. To be CCPA compliant, you need to be able to locate and serve personal information about California residents upon request. Do you work with any third-party processors, e.g. ecommerce platforms? If so, do you know how they’re using your customers’ data? It’s time to find out. Since the CCPA is so similar to GDPR (although there are some key differences), it’s a good idea to recall any resources and processes you used to become GDPR compliant.
Another element of the CCPA is that it raises the opt-in age for the collection of data. Previously, the Child’s Online Privacy Protection Act required consent from a legal guardian to collect data on users under the age of 13. The CCPA raises that age. Now, users under 16 will be required to opt-in. But those between the ages of 13 and 16 can provide their own authorization instead of requiring a guardian’s ok.
If you’re concerned you won’t be compliant by the deadline, you’re not alone. Only half of the affected businesses expect to be compliant by the deadline. The good news? Although the law goes into effect in January, enforcement isn’t scheduled to begin for another six months. So you still have time to be prepared.
How might the CCPA affect business going forward?
There are still some unanswered questions on this front. But it’s probably safe to assume that, while California is the first to adopt a GDPR-like measure, it won’t be the last. As the world’s fifth-largest economy, where California leads, other states often follow.
If your business isn’t currently required to carefully manage consumer data and provide it upon demand, there’s a good chance it will be soon. Is your data management up to snuff? And what do you know about the third parties that have access to your data? Now is the time to do some discovery. Get started data mapping now so you don’t get caught in a jam later.