The California Consumer Privacy Act (CCPA) in a Nutshell

In the contemporary world of social media, social networking, mobile applications, Internet of Things, Artificial Intelligence, Business Intelligence/Analytics, the quote ‘Data is King’ is true in every sense. Each company wants to know their consumers better and use their personal data to provide them with unique customer experience. But, how much access to personal information is permissible and required? This has been a topic of debate in recent times and has led to a number of scandals and controversies; Facebook and Cambridge Analytica being the key ones. It is important to give consumers more control and information on their personal data and this is the reason California Consumer Privacy Act (CCPA) was enacted on Jan. 1, 2020.

Any business that has customers in California need to comply with CCPA privacy law. CCPA is a game-changer and effectively changes the way organizations collect data. Lack of CCPA compliance may result in vindictive customers who can file a complaint with the attorney general or file a private lawsuit. Damage recovery can range from anywhere between $100-$750 per customer record. So, it is important for companies to understand CCPA and comply with all its requirements.

Is CCPA applicable to my company?

In case your business (a for-profit entity) collects consumer data (in this case California residents) and falls into any of the below categories, CCPA is applicable to you:

·      Annual gross revenue of over $25M OR

·      Obtain (i.e. buys, receives, sells or shares) Personal Information of at least 50,000 California Residents, households and/or devices per year OR

·      At least 50% of annual revenue is generated from selling California residents’ personal information

GDPR Vs CCPA- Key Differences

EU-General Data Protection Regulation (GDPR) was enforced in May 2018 and affects all organizations anywhere in the world that processes personal data of European Union Citizens. Through CCPA and GDPR primarily serve the same purpose, there are some key differences:

ü CCPA applies to companies that collect or sell California resident’s data (with thresholds of revenue/personal information they hold, as given above)

ü While GDPR penalties at 4% of the global turnover of the company, CCPA fines up to $7500 per violation

ü GDPR protects the rights of data subjects which is defined as “an identified or identifiable natural person” while CCPA takes a broader view of data to be protected. CCPA definition extends to household, device or business and is not just confined to data of an individual.

ü Rights of Deletion in CCPA is less stringent than GDPR. Business can always claim fulfilment of a contract or legal obligation

ü Overall, CCPA is less comprehensive than GDPR

CCPA Principles

The goal of CCPA is to give more control to the consumer of their personal data and information. Key Principles which at the core of CCPA are:

Right to Disclosure: Intent of Right to Disclosure is to ensure that California Residents know what personal data is being collected about them. To comply with this right, companies need to inform customers about the categories of Personally identifiable information (PII) being collected by them. PII is any data that could potentially identify a specific individual. Companies need to inform on the sources from which the personal information is collected, the commercial purpose of collection, the third parties involved, and the specific pieces of personal information collected.

Right to Deletion: Under this CCPA right, California residents can request a business to delete the personal information it has collected about them. This is only valid for verifiable customer requests. Businesses cannot mandate customers to create an account for this purpose. The business also needs to direct all service providers to delete the data. There are some exceptions to this right, for example, if a business needs data to resolve security incidents or to comply with legal obligations, etc.

Right to Opt-out: Under this CCPA right, consumers can request the business to stop selling their personal information to third- parties. It also requires that the website should have a clear and conspicuous link on the homepage “Do not sell my personal Information”. Businesses that sell data should notify customers on engagement. The exception to this right is for consumers less than 16 years of age. They either themselves need to opt-in (between age 13-15 years) or his/her guardian specifically authorizes to opt-in.

Right to equal services and prices: This right protects California Citizens from any kind of discrimination when they exercise any of the CCPA rights. They shall not be discriminated against:

ü Denying goods or services

ü Charging or even suggesting difference prices

ü Providing a different level of services

CCPA does allow businesses to offer financial incentives (as long as they are not unjust) with notifications only upon opt-in consent.

Penalties

On Intentional violations of CCPA, a penalty of $7,500 is levied. Other violations which are not intentional are subject to the $2,500 maximum fine. CCPA gives rights to consumers to file lawsuits where their “non-encrypted or non-redacted personal information” is breached. Consumers can claim between $100 and $750 for each event as damage recovery. Violations may also result in civil actions.

Meeting the CCPA requirements is mandatory and will ensure that you run your business without financial losses that may be incurred due to violations. This will also improve your company’s reputation among its consumers. It’s time you start your journey towards CCPA compliance.

In our next article, we will talk about mechanisms that a business needs to put in place to comply with the CCPA requirements, how gap analysis against CCPA can be done and the remediation approach.