Complying with the California Consumer Privacy Act (CCPA) Checklist
The California Consumer Privacy Act of 2018 (CCPA) gives California residents more control over the information businesses collect and share about them.
More specifically, this landmark law gives California residents four important privacy rights:
- Right to know the personal information a business collects and how it’s used and shared.
- Right to delete personal information collected
- Right to opt-out of the sale of personal information
- Right to non-discrimination for exercising CCPA rights
The CCPA went into effect on January 1, 2020. Enforcement began July of 2020.
What businesses does the CCPA affect?
It’s important to note your company doesn’t have to be based in California to be subject to the CCPA regulations. Companies serving California residents that also fall into one or more of the following criteria need to comply with CCPA:
- Have at least $25 million in annual revenue
- Have the personal data of at least 50,000 individuals
- Collect more than half of revenues from the sale of personal data
Once regulators warn a company of a violation, they have 30 days to correct the issue. If not, a company can be fined up to $7,500 per violation. Given the volume of records some companies collect, this fine can be substantial if the violation isn’t resolved.
The CCPA also gives an individual the right to sue if their privacy rights aren’t met. And, as you could guess, this could open the door for costly class action lawsuits.
What Data Does the CCPA Protect?
The CCPA defines personal information as “information that identifies, relates to, or could reasonably be linked with you or your household.”
Some examples include:
- Name, email address, social security number
- Online identifier IP address
- Professional or employment-related information
- Records of products purchased
- Browsing and search history
- Geolocation data
- Inferences drawn from any information to create a profile reflecting an individual’s preferences, predispositions, characteristics, etc.
This, of course, is not an exhaustive list of what’s protected by the CCPA. But, as you could see, it covers a wide range of personal data. In fact, the CCPA’s definition of private data protects more information compared to another groundbreaking privacy law–the European Union’s General Data Protection Regulation (GDPR).
My Business Doesn’t Meet CCPA Criteria…Should I Be Worried?
California residents who take advantage of the privacy rights offered by the CCPS may come to expect the same rights from other companies and websites they use–even if they don’t qualify under the current regulations.
While your company may not be subject to the penalties of not complying with the CCPA, some California residents may choose to take their business elsewhere if they don’t think their personal data is protected.
Also, as more people demand online privacy, laws and regulations could eventually be expanded to a broader range of businesses.
It’s a great idea to start being proactive now. It shows your customers that you value their privacy. Also, it will save some hassles and headaches if the CCPA or other legislation starts targeting smaller businesses.