Governments across the world are increasingly finding the need to protect consumer data from misuse by businesses. Have you heard about the California Consumer Privacy Act (CCPA) of 2018?
CCPA is similar to the famous European Union’s GDPR, but there are variations in the definitions and the underlying rules. Let’s get familiar with the CCPA requirements and what it means for your small business.
What Is CCPA?
CCPA is a law passed in 2018 in the U.S. state of California to protect the data and privacy of consumers. It came into force on January 1, 2020, requiring businesses to implement more stringent policies and procedures to safeguard consumer personal information.
The act gives the residents of California the power to view, restrict the use, and delete data that for-profit organizations collect about them. They can also sue, should a data breach that compromises their information occur.
Under the CCPA, consumers:
- Have a right to know the data collection and sharing practices by businesses
- Reserve the right to deny the sharing or sale of their data
- Can request companies to delete their data
- Under 16 must opt-in before enterprises can sell their information
- Have a right to know which third-parties use their data, and where they acquire it
- Can take legal action if a breach compromises their information
Some of the areas that businesses have to strengthen are privacy policies, security protections, and the facilitation of consumer rights. Companies handling personal data belonging to at least 4 million consumers will need advanced recordkeeping.
What Inspired CCPA?
The Congress noted that personal information on the internet is vulnerable to exploitation by third-parties following the alleged misuse of data by Cambridge Analytica in 2018. Cambridge Analytica had harvested data from Facebook profiles of millions of people and used it for political advertising without owners’ consent.
With Facebook and other tech giants headquartered in Silicon Valley, California saw a need to heighten privacy controls and transparency for third-parties when handling data. The Federal government, as well as several other states, are considering imposing similar privacy and data protection regulations.
Which Businesses Does the CCPA Affect?
CCPA affects businesses which in a year, generate $25 million in gross revenue, sell 50,000 consumer records, or earn 50 percent of their income from the sale of consumer data. Included are businesses that collect and sell personal information from Californian consumers while located elsewhere.
So, do small and medium-sized businesses (SMBs) need CCPA compliance? Firms running under others that meet the above conditions and share branding with them must comply.
If your small business doesn’t meet the criteria, you could be safe for now. But who knows when you’ll hit the 50,000 consumer information usage threshold? Again, CCPA is still young, and there’s room for more amendments. It’s better to stay compliant to avoid frustration in the future.
Penalty for Non-compliance
CCPA has left some organizations confused, and some might find themselves in violation of the law due to unawareness. Some aren’t sure whether they are subject to the regulation or what to do to become compliant.
The California Attorney General is responsible for enforcing the CPAA. Prosecution for non-compliance begins in July 2020. The penalties will be quite significant, and they might leave some companies in dire financial situations.
Disgruntled consumers can sue individually or as a group, but only when a business fails to put reasonable security measures leading to the access, disclosure, or theft of their information. For intentional violations, fines will be about $7,500 for each instance. However, there will be a 30-day window to solve the alleged violations after getting notified about your non-compliance.
How to Address CCPA
Going forward, you have to meet the latest CCPA regulations to protect consumer privacy if your business is subject to CCPA. You must notify consumers about the categories of personal information you intend to collect on or before data collection. You also have to indicate how you’ll use the information.
Businesses need to set up procedures to respond to consumer requests to know, opt-out, and delete personal data. For customers to opt-out easier, business websites and apps require a “Do Not Sell My Info” link.
Covered organizations must respond to various consumer requests within specific timeframes. Under the privacy settings, a customer’s choice to opt-out should come out as a valid opt-out request.
Additionally, businesses must verify the identity of individuals asking to know or delete their personal information. This condition prevails whether the consumer has an account with the firm or not. If you cannot verify a request, you must comply with it to your level-best.
Businesses may offer incentives, including monetary payments to consumers for the collection and use of their personal information. Covered entities must keep a record of consumer requests and how they handled them over the past 24 months.
CCPA puts a stop to businesses harvesting consumer information and exploiting it without the consent of owners. Though the wave has begun in California, it will affect businesses across the United States and the rest of the world. Become CCPA compliant today to avoid legal issues.