The California Consumer Privacy Act (CCPA) marks a new chapter in the global privacy and compliance conversation. Considered by many to be the General Data Protection Regulation (GDPR) of the US, CCPA was signed into law in September 2018 and officially went into effect on January 1, 2020. At its simplest, the Act aims to protect California consumers’ personal information from businesses that collect user data.
Regardless of whether your company is headquartered in California, CCPA is a big policy shift that you should understand. Keep reading to learn more about this new regulation and what it means for your organization’s compliance program.
Breaking Down CCPA
Under this new law, a business that serves or employs residents of California and collects personal data about consumers must:
- Disclose what personal information it collected, from where it was collected, for what purpose, and with whom it shares that data, after receiving a consumer request
- Disclose the consumer’s right to delete personal information, either on its website or in its online privacy policies
- Comply with a request by a consumer to delete their personal information from its records and direct third parties to delete that information from their own records
- Disclose to consumers whose data it sells, what personal information was collected, sold, or disclosed for a business purpose, and to which third parties it sold the information
- Refrain from selling the personal data of consumers who exercised their right to opt-out to third parties
Under CCPA, businesses cannot discriminate against consumers who exercise any of these rights. The Act requires companies to make two or more methods for submitting information requests available to consumers, to deliver requested information within 45 days, and to resolve violations within 30 days.
The penalty for each violation is $2,500 unless the violation is found to be intentional. In that case, the penalty is $7,500. All fines will be deposited into the Consumer Privacy Fund, a special fund created specifically to offset the costs of enforcing CCPA guidelines.
Some organizations are exempt from these requirements. These include:
- Insurance companies
- Credit reporting agencies
- Healthcare providers, covered entities, and clinical trials
Though CCPA sets strong regulations for protecting consumer information, it does clarify that its privacy requirements do not prevent a company from using personal information to complete a transaction with a consumer, stop illegal activity or security threats, exercise free speech, or utilize collected data for “solely internal uses.” As such, your first step should be to determine whether your company’s collection of consumer data falls into one of these categories, or if your company will have to comply with CCPA’s new standards at all.
Distinguishing Privacy Laws
The General Data Protection Regulation (GDPR) is a European Union regulation that went into effect in 2018 to protect personal data from companies and organizations that process user information. Many have drawn a parallel between GDPR—the preeminent global privacy law—and CCPA—the US’ newest (and most stringent) privacy law.
GDPR-compliant companies may have an easier time making changes to comply with CCPA, as they are likely to have systems for handling consumer data and meeting compliance already in place. However, CCPA goes further than GDPR in its right to opt-out, and the differences in scope, enforcement, and extent of corporate responsibility are enough to warrant a dedicated focus on CCPA compliance, no matter your company’s history with GDPR.
Complying with CCPA
According to the Data Protection Report, the primary significance of CCPA is the precedent it sets for a “sweeping” definition of personal information. Beyond standard pieces of data like name, address, and email, CCPA defines personal information as including browsing and search history, purchasing tendencies, and geolocation data. Moreover, the law includes any “inferences” used to “create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” as pieces of personal information.
Given this broad categorization of information for which consumers have a right to privacy, businesses must begin training employees to meet compliance. Forbes outlines an example nightmare situation that non-compliant companies could face under CCPA. Imagine your company has failed to deliver on 1,000 customer requests to delete their personal information. You have 30 days after being notified of your non-compliance to delete this information or face $7.5 million in civil fines if a court determines your business intentionally violated CCPA. If a court finds your violation was not intentional, you’ll have to pay $2.5 million – still no small sum.
If GDPR is any indication, regulators are serious about compliance. Don’t find your firm on a list of the biggest fines in CCPA’s first year.
Moving Forward with CCPA
This new law requires attention, not to mention company resources. Invest in a worthwhile compliance training program that will effectively prepare your employees and protect your company in the era of CCPA.
At Interactive Services, we’ve built a CCPA compliance training program that engages users with customized lessons, relevant examples, and clear instruction. Talk to us to see if our program is right for your company.
About the Author
Ethics and compliance leader providing tools, education, and advisory services for global companies to inspire principled performance. LRN’s overall approach recognizes the inherent limitations of rules and regulations in influencing behaviors. In our view, focusing on actions that help build and maintain a values-based culture will mean more compliance and reduced costs as a result of tangible and sustainable behavioral change.More Content by LRN Corporation