California passed a consumer privacy act, AB 375, in late June 2018. The law comes into effect from 1 January 2020 and is meant to have more rebounds on U.S. companies compared to the European Union’s General Data Protection Regulation(GDPR). The California Consumer Privacy Act (CCPA) is supposed to take a broader perspective than the GDPR; thereby, posing a significant challenge to security in locating and securing private data.
What is CCPA?
The CCPA is one of the most comprehensive data privacy laws in the United States. The CCPA primarily focuses on consumer rights regarding the collection and use of personal or private data. Under CCPA, all Californian residents can now exercise the right to ask for all the private data a company has stored. Additionally, the consumers could also demand the full list of all third parties with whom the company shares their personal data. The most subsequent change is the authority to sue the organization if the consumers find that the organization is violating the privacy guidelines put forth by the Californian government, even though there is no data breach.
Who needs to comply with CCPA?
The law applies to all for-profit entities collecting and processing personal information of California residents and are doing business within the State of California. The companies meeting three conditions defined under the 1798.145., need to comply with the CCPA. These conditions are
- A business generating annual gross revenue over and above $25 million
- A business sharing or receiving personal information of more than 50000 California residents annually, or
- A company deriving at least 50% of their annual revenue by selling private information of California residents
What is QuestionPro doing for CCPA compliance?
As a SaaS provider, we are taking every required step to be CCPA compliant before the law comes into effect.
- We have started awareness amongst our clients to be CCPA compliant.
- We are in the process of enhancing our privacy training program.
We are working to create an effective strategy that would adequately handle CCPA rights granted to the California residents.
Who is protected under CCPA?
The CCPA applies to all the “natural persons who are California residents”, further defined as
- Any individual in California state for any purpose which is not transitory or temporary
- Any individual domiciled in the state of California but is currently or occasionally out of the state for temporary or for an ephemeral reason (Cal. Civ. Code § 1798.140(g)).
Thus, CCPA applies to all the residents having California domicile, irrespective of where they are at present. Along with that, the law also states that it applies to both Businesses-to-Business (B2B) and Business-to-Consumers (B2C) companies.
California is the fifth-largest economy in the world (just ahead of the United Kingdom) and has about 40 million residents.
Consumers rights granted under the California Consumer Privacy Act
All the California citizens protected under the CCPA can exercise four fundamental rights mentioned below,
The right to know what personal information the company collected, disclosed and sold
Under this right, the consumer can ask any company what kind of personal information it collects, publishes, uses, and sells. The consumer has a right to know the source from where the company has collected their private information, how they used it, and a list of third parties with whom they are sharing or selling their personal data.
The right to request the deletion of personal information
Under CCPA guidelines, consumers will have all the rights to take ownership of their personal information. They can directly ask the company collecting and processing their personal data to remove it. Upon receiving such a request, an organization must take all necessary steps to erase all the personal data belonging to the consumer. Nevertheless, under specific circumstances, the organization can decide whether to wipe or keep the information. As if to fulfill the purpose for which the organization collected the data in the first place. Else, to abide by the contract between the data subject and the business.
Right to opt-out of the sale of personal information
All California residents can exercise the right to opt-out of selling their personal data. However, to practice this right, the concerned organization must provide a “Do not sell my personal information” link on the homepage of its website. This link acts as a medium allowing consumers to opt for selling their personal information.
As per CCPA guidelines, a business is not allowed to sell the personal information of a consumer if she/he is under 16 years of age. However, if the consumer is between 13 to 16 years or below 13 years of age, then their parents or guardians have the right to either authorize or opt-out sale of information.
Right to non-discrimination for exercising a consumer’s privacy rights
The CCPA has a broader perspective in prohibiting businesses from giving non-discriminatory treatment to all the consumers exercising their privacy rights. In addition to that, the law prohibits organizations from charging a different price or providing various goods or services to consumers using their CCPA rights. Apart from that, the divergence is moderately related to the value provided to you by your data.
What happens if you violate CCPA
- The California Attorney General’s office is authorized to enforce penalties related to CCPA violations. The sanctions include civil monetary fines of up to $2,500 for non-intentional violations and $7,500 for intentional violation.
- As of now,
- the California AG’s office must provide a notice of alleged violation and allow the concerned business a timeframe of 30-days to clarify before issuing the fine.
- About 20% of the penalties collected through CCPA violations will be allocated to the newly formed “Consumer Privacy Fund”.
If you have any problems related to the CCPA and QuestionPro, please contact us to schedule a meeting with our compliance manager.