CCPA or California Consumers Protection Act is the newly revised personal data protection law. It was passed by the State of California, noticing the increased role of consumer’s private information in business practices and also its implications surrounding the data collection, usage, and protection procedure. The law is said to come into effect on January 1, 2020, and the following section summarizes the importance of law, including its application and steps to compliance.
CCPA Compliance and Our Readiness:
- Does business in California
- Is profit-oriented
- Collects consumer’s personal information (PI)
- Defines the purposes and means of processing consumer’s PI
Besides, the CCPA applies to a business that
- Earns annual gross revenue more than $25 million
- Buys, receives, sells, or shares PI of 50,000 or more consumers, devices, or households for commercial reasons.
- Gains 50% or more of its yearly revenue from selling consumer’s PI.
The CCPA does not apply to the following businesses
- Personal information gathered, handled, sold, or disclosed per the California Financial Privacy Information Act or Gramm-Leach-Bliley Act.
- Medical information gathered by an entity governed by the California Confidentiality of Medical Information Act (CMIA), Health Insurance Portability and Accountability Act or information collated for clinical trials.
- The selling of PI to or from a consumer reporting agency which has to be reported in or employed to produce a consumer report.
- Cooperation with law enforcement agencies or exercising/defending legal claims.
- Efforts to comply with state, federal, or local law.
- A criminal, civil, or regulatory investigation; or a summons or subpoena.
- Data collated, treated, sold, or disclosed in accordance with the Driver’s Privacy Protection Act [DPPA] of 1994.
CCPA may look similar to GDPR, but they are not the same. They have subtle differences including, information required in privacy policies, the entities they cover, prior consent, as well as selling of personal information. If you are a GDPR compliant business, the chances are that you already meet some of the requirements of CCPA. But still, you need to comply with other policies of CCPA to call yourself CCPA compliant.
“Leverage our Research-backed CCPA Readiness Solution to Minimize the Risk.”
The scope of PI or personal information under CCPA is broader than GDPR. It includes any information that can identify, relate to, describe, reference, or reasonably link, directly or indirectly, with a specific consumer or household.
The following enumerated categories of consumer information are included as PI:
| Name, personal identifier, account name, IP address, mailing address, email address, Social Security number, passport number, and driver’s license number. |
| Geo-location data |
| Biometric information |
| Personal information defined by California’s records destruction law (Cal. Civ. Code § 1798.80(e)), which includes physical characteristics or description, signature, telephone number, education, employment, insurance policy number, financial account information, and employment history |
| Individualities of protected classifications in California or federal law |
| Commercial data, including personal property, products, or services acquired, considered, or other buying or consuming histories or tendencies |
| Internet or electronic network activity, including browsing history, search history, and consumer’s interaction with a website, application, or commercial |
| Audio, visual, thermal, electronic, olfactory, or related information |
| Professional or employment-related data |
| Education information which is not freely available personally identifiable data, as declared in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99) |
Assumptions drew from any of the information mentioned above to create a consumer profile reflecting their characteristics, psychological trends, preferences, predispositions, attitudes, intelligence, behavior, aptitudes, and skills.
The newly revised CCPA provides consumers with new rights, including a right to be forgotten, a right to be transparent about data collection, a right to opt-out, and a right to opt-in for minors. Although the list of rights looks similar to European law, there are significant differences to follow.
The right to know about their personal information being collected by business: This rule requires firms to be transparent to their consumer about the personal information gathered and its usage.
The right to appeal the categories of information a business collects upon provable request: This rule grants a right to the consumers to request a disclosure of the categories and certain pieces of PI that a company collects, the source categories from where the data has been received, the business motive for amassing or selling the information, and the categories of third-party vendors with whom the information is shared.
The right to know the type of personal information collected about consumers: This rule requires businesses to disclose the PI collected about the consumer and the purposes for which it is used.
The right to express “NO” to the sale of PI: It allows consumers to opt-out of the sale of PI by a business and also prohibits the company from being discriminative against the consumer for exercising their right, such as charging the different price or providing a distinct quality of goods or services to the people who opts out, except if the variance is sensibly related to value offered by the consumer’s data. This rule also prohibits a company from selling the PI of a consumer below 16 years of age, unless positively approved.
The right to delete the personal information: This rule grants consumers with the right to request deletion of PI. It also forces businesses to delete personal data upon receiving a verified deletion request.
The right to equal service and price, although the consumers follow privacy rights: This authorizes businesses to propose financial incentives for the collection of PI.