What is the California Consumer Privacy Act?
The California Consumer Privacy Act, or CCPA, is a state-level law that requires, among other things, that companies notify users of the intent to monetize their data, and give them a straightforward means of opting out of said monetization.
The CCPA calls for businesses to not gather or share any personal data other than that required by law (such as for customer account maintenance), then informs customers in a formal and unambiguous manner of how, when, and why their personal data will be used.
“The CCPA set the standard for data security and privacy,” Consumer Watchdog’s Executive Director John M. Simpson, whose organization promotes “effective privacy legislation,” told Computerworld.
Who must comply with the CCPA?
The CCPA will only apply to businesses that earn more than $25 million in gross revenue, that collect data on more than 50,000 people, or for which selling consumer data accounts for more than 50 percent of revenue.
All Companies must at least set up a web page and a toll-free phone number for fielding data requests.
According to slate.com, ‘though the law will really only have teeth in California, many companies will extend these new protections to users across the country so they don’t have to worry about distinguishing who is or isn’t a resident of the state.’
All Companies must at least set up a web page and a toll-free phone number for fielding data requests. Google created a protocol that blocks websites from transmitting data to the company, which users can take advantage of by downloading an opt-out add-on. Facebook, meanwhile, is arguing that it does not need to change anything because it does not technically “sell” personal information.
According to slate.com, ‘The law is vague on how much power and transparency companies must offer to consumers in this process. Some companies may thoroughly spell out in their privacy policies exactly what kinds of information they collect and use; data covered by the CCPA includes IP addresses, contact info, internet browsing history, biometrics (like facial recognition and fingerprint data), race, gender, purchasing behavior, and locations. In some cases, consumers may be able to choose what specific data they want the company to use or delete, though this isn’t strictly mandatory under the CCPA.’
How can my company comply with the CCPA?
To help more effectively cope with CCPA as well as GDPR compliance, businesses should now implement privacy by design solutions by adopting best practices that differentiate on how customers’ information is collected and used. Disclosure requirements are critically important to building trust with your consumers, especially in times of increased media interest in online tracking.
“You might want to capture who is the consumer, what exactly is the information, and depending on how much information you store about consumers, you might want to know what time frame they’re talking about,” says Joseph Lazzarotti, a privacy and data lawyer who is assisting companies with CCPA compliance.
A store is NOT a storehouse.
A service provider does not have a right to keep any personal information.
A service provider has a responsibility to deliver only those services that are in compliance with the applicable laws and regulations in the jurisdictions in which the user operates. The ultimate duty of a service provider is to the user.
Depending on which right a consumer wants to exercise—access, deletion, or opting out—there may be different kinds of information that a company will want to gather through the web form in order to verify the identity of whoever is making the request.
“With regard to the right to access your data, that has the highest threshold for risk analysis and what mechanisms you use to authenticate the person,” says Tara Cho, a privacy and cybersecurity lawyer who is also helping companies navigate the new law. “You could end up creating a data breach by sharing the information with a fraudulent actor.”
Top-level summary of some of CCPA basic tenets:
- Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.
- Businesses will be required to comply with official consumer requests to delete that data.
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
- Businesses can, however, offer “financial incentives” for being allowed to collect data.
- California authorities are empowered to fine companies for violations.