What is the California Consumer Privacy Act?
qimono / Pixabay
Societies are becoming more digitized. This makes collecting consumer data — such as name, age, and email address — a vital element for businesses. Potentially adding to the stress is the California Consumer Privacy Act (CCPA) which comes into effect on January 1st, 2020.
The CCPA’s goal is to give customers more information and control over how their personal information is being used. It will apply to businesses that target California residents and California-based customers (basically, anyone who pays taxes to the State of California).
The CCPA requires businesses to get consent before collecting customers’ personal information. Business must disclose the following before or at the time of collecting customer data:
- The type of personal information you seek to collect
- The source or medium used to collect personal information
- The purpose of collecting and selling personal information
- The type of third-parties that will receive personal information
Upon customer’s request, businesses must share this information along with the customer’s personal data. Businesses must also delete customers’ personal information upon request in most situations.
Another important clause is that businesses must offer a “Do Not Sell My Personal Information,” opt-out choice. For customers under age 16, this has to be an opt-in choice. Furthermore, businesses can not discriminate against customers based on their personal information.
The CCPA requires businesses to be transparent in how they handle customer’s personal information. Failure to comply can lead to a fine up to $2500 per violation or $7500 if the violation was intentional. Additionally, infringing the CCPA can damage a business’ brand. Consequently, being aware of the CCPA is crucial for your business’ success.
What similarities does this have with GDPR?
Both the CCPA and GDPR are similar because businesses must be transparent. Businesses must disclose the following to their customers:
- Which personal information is being collected.
- How personal information is being collected.
- Which third-parties will have access to personal information.
They are also alike in that these regulations apply to businesses outside of the EU and California. However, they are different in that the GDPR is more broad while the CCPA narrowly focuses on privacy rights.
The GDPR focuses more with how personal information is processed. It regulates disclosures that need to be made (like the CCPA). It also addresses particular procedures, like how businesses should handle a data breach (unlike the CCPA).
Under the GDPR (and not the CCPA), businesses must seek consent before making automatic decisions based on personal information.
The GDPR focuses on comprehensive privacy and security practices. Meanwhile, the CCPA emphasizes on maintaining customer’s consent.
Nonetheless, it is important your business carefully examine both laws. While the GDPR can appear more extensive, following the GDPR will not lead to complying the CCPA. For example, the GDPR asks for an opt-in privacy option while the CCPA requires an opt-out. LoginRadius’ experience with handling global regulations and can ensure your business complies to various data-related mandates.
What steps do businesses need to take to get ready?
Preparing to follow the CCPA can feel overwhelming. In fact, almost half of 250 surveyed American companies haven’t started with implementing appropriate privacy policies (TrustArc, 2019). We grouped together key points of the CCPA into few steps to help you and your business prepare for the CCPA.
First, make sure your organization’s decision makers and key individuals are aware of the CCPA. They should be attentive to the following:
- What the CCPA is
- When the CCPA comes into effect (January 1st, 2020)
- How it changes existing business practices
Next, document and organize your existing customers’ personal information. It is important your business knows this:
- Which personal information is being collected
- How personal information is being collected
- Why personal information is being collected
- Where personal information is being stored
- Who the personal information is being shared with
This will help you set-up an efficient system for information retrieval at your customers’ request. If you don’t already, consider having a Data Protection Officer or a Data Protection Team to handle these requests.
For those directly interact with customers, you should consider training them on your privacy policies and procedures. This can help with creating a smoother experience for your customers and more efficiency within your team.
Despite CCPA may feel like a burden on your business, you should also recognize it as an opportunity. Privacy is valuable to customers. Therefore, successfully implementing the CCPA requirements on-time can give a leading edge to your brand that adds to your business’ success.
The GDPR and CCPA are just the beginning of digital privacy laws. So, you should prepare to thrive during this international trend.
The CCPA applies to businesses that target California-based customers. Unlike the GDPR, the CCPA is more focused on giving customers disclosure and seeking consent to collect and use their personal information.