One of the newest pieces of legislation is the California Consumer Privacy Act, known as the CCPA. This act applies only to residents of California and was created as a way for California residents to limit the amount and type of information businesses can collect.
Online consumer privacy is an ever-growing concern. Every time a consumer accesses a website, the company collects personal data on them. But what is personal data? Personal data is considered anything that differentiates one user from another. This can be as in-depth as a social security number or as vague as a user’s age range. With sites collecting massive amounts of this personal data about users, many have grown to question why this data is being collected, who has access to it, and how it’s being used. As people become more vocal about their online privacy concerns, governments have begun stepping in, creating laws and regulations to control the collection and use of consumer information.
The California Consumer Privacy Act was signed into law on June 28th, 2018, and went into effect on January 1st, 2020. On June 1st, 2020, the final proposed regulation package was submitted to the California Office of Administrative Law. Once the CCPA was approved by the OAL, it became a law and, therefore, enforceable, as of July 1st, 2020. Since it’s an enforceable law, businesses and websites now face consequences for noncompliance.
Who Must Comply With The California Consumer Privacy Act?
Businesses that do business in California, regardless of their location in the world, should be concerned with whether they must comply with CCPA. For businesses that serve California residents, are three main criteria when it comes to who must comply with CCPA regulations. To fall under the CCPA, a business must have at least $25 million in revenue annually or hold the data of 50,000 or more people, households, or devices, or earn more than half of its annual revenue by selling personal data. Only one of these requirements must be met for a company to fall under the CCPA.
Companies that CCPA doesn’t apply to are insurance institutions, agents, and support organizations. But that doesn’t mean they can do whatever they please with Californian’s data. There is already a regulation, called the IIPPA, which is very similar to CCPA regulations, which applies to insurance institutions and the like. CCPA also doesn’t apply to nonprofit organizations, even if they meet one of the three criteria above.
What Are The California Consumer Privacy Act Requirements?
For companies who must comply with California Consumer Privacy Act, there are quite a few requirements that they must be sure they adhere to. The CCPA is a consumer-centric regulation, so every requirement relates to the ability of consumers to limit and be informed about their data collection, storage, and usage. The following are the most important requirements for CCPA compliance.
Right to Notice
If a company plans to collect personal data, it must explicitly state their intentions in a way that alerts the consumer upon accessing the site. Most sites will use a notification popup that requires the consumers to manually accept these permissions.
Right to Request
The CCPA states that consumers have the right to request a specific breakdown of the personal information that has been collected. Companies must provide this data, either by mail or online, in a way that is easy to access and read.
Right to Know
California residents have the right to know exactly how and why their data was collected. Companies must disclose the categories of data collected, the sources used to collect the information, the purpose of collecting or selling the information, which third parties the information will be shared with, and the specific pieces of information that were collected.
Right to Opt-Out
Companies must provide a link titled “Do Not Sell My Personal Information” that leads to an easy-to-submit form that consumers can fill out to opt-out of personal data sales. Once a customer has opted out of selling their information, a company must wait a minimum of one year before requesting their information again.
Right to Delete
Consumers have the right to submit a request to have their personal information deleted from a specific company’s databases. If a customer submits such a request, the company must also contact any companies they have shared the customer’s data with and request that they delete it, as well.
Right to Notification of Financial Incentive
Some companies may offer certain incentives to consumers who approve the use of their personal data. If a company offers these incentives, monetary or otherwise, it must disclose that incentive with its customers. Consumers must give explicit consent to opt-in to a company’s incentive program.
Right to Not Be Discriminated Against
Since there is an advantage to companies being able to collect and use personal data, they want as many customers as possible to approve the use of their information. However, many people will choose not to share their data. The CCPA ensures that customers who opt-out of personal data sharing won’t pay more, be given lower quality products or service, or be enticed with lower prices if they share their data.
GDPR Vs. California Consumer Privacy Act
General Data Protection Regulations, or GDPR, is a vast set of rules that allows EU citizens to have more control over how their personal data is used. While this sounds very close to CCPA, the two differ in many ways.
Applicable Entities
GDPR and CCPA apply to different entities. GDPR applies to data controllers and data processors, while CCPA applies to for-profit businesses that service California residents and meet one of the requirements listed above. This means GDPR is much broader, both in the citizens it protects and the organizations it applies to.
Protected Information
Both the CCPA and GDPR have the same basic definition of what constitutes personal data. While the GDPR says any “identifiable data” and the CCPA says “information that identifies…a particular consumer or household,” both of these definitions mean any data that can identify one person from another. The only difference is that the CCPA also protects households and specific devices, not just individual consumers.
Consumer Rights
When looking at the rights granted by both the GDPR and CCPA, some parts are very similar and others are vastly different. The right to access, right to deletion, right to nondiscrimination, and the right to request are all very similar. Both regulations do nearly that same thing to protect citizens in these regards. However, GDPR includes many rights, such as the right to rectification, the right to restrict processing, and the right to object to processing, that CCPA doesn’t include. Though GDPR may contain some protections that CCPA does not, both the GDPR and CCPA take important steps to protect citizens and consumers online.
