What is the California Consumer Privacy Act (CCPA) 2020?

Seven amendments have been examined by the CA legislature until September 13, 2019. The governor had 30 days until October 13, 2019, to sign the amendments and incorporate them into the law or veto bills that have passed the legislature.

An overview of the California Consumer Privacy Act (CCPA)

The design of the California Consumer Privacy Act (CCPA) provides California residents with increased control over their personal data. Fundamentally, it enables consumers to be aware of their data, and how it is gathered, stored and processed.

Moreover, it grants a consumer a right to request for the deletion of his or her data and also a right to opt-out from having their information sold.

It requires non-compliant companies to comply with its requirements and facilitate their users with data requests and update their privacy policies. Lastly, it requires companies to ensure that the vendors also comply with the requirements.

Amendment highlights

Many changes were suggested in the original version of the CCPA by various groups. A few impactful proposals are as follows:

1) Employee exemption (AB 25)

This bill excludes personal information collected from job applicants, employees, business owners, directors, officers, medical staff or contractors from the CCPA consumer rights (such as access, deletion, and opt-out).

Although, the Senate Committee denied the suggested exemptions from the CCPA notice and data breach liability provisions. It indicates that employers have to provide a privacy notice when collecting employee personal information.

In addition, employee data is included in the data breach events and their private right of action is available. An employee exemption is a sunset provision which will expire by January 1 2021.

When the date arrives, the CA legislature will provide similar regulation for the handling of employee data.

2) Loyalty programs (AB 846)

This bill will allow the usage of personal information with consumer’s consent and voluntary participation in the loyalty program. It forbids companies to sell personal information from loyalty programs to other companies.

Therefore, it will impact various companies who rely on cross-marketing in their business model.

3) Consumer requests for disclosure methods (AB 1564)

This bill will allow those businesses that operate online and are directly connected with their consumers to give a single method (email) for consumers to contact them. Generally, it is less rigorous than what was originally required of entities under the CCPA. It also includes an additional method and a toll-free number.

A few items are under consideration. However, the amendments cover a wide range of items, that incorporate, data brokers to register with the attorney general (AB 1202), requirements for parents/guardians of children under 13 to take consent for social media accounts, requiring business using facial recognition to disclose the usage at all relevant locations (AB 1281). The amendments also allow a business to differently treat the consumers who have exercised privacy rights if related to the value provided by the business (AB 1355).

Rejected proposals

The amendments listed down below were rejected and will not modify the CCPA.

  • Definition of personal information (AB 873) – This bill sought to include data not “reasonably linkable” to a consumer in “de-identification” information, and to remove “household” from the definition of personal information.
  • Insurance exemptions (AB 981) – This bill sought to take away from consumers the right to remove or delete personal data from insurance transactions.
  • Exceptions for businesses (AB 1416) – This bill sought to allow some exceptions for businesses to provide personal information to government agencies, as well as to allow the sale of information from “opt-out” users to detect security incidents, fraud and other activities.

Frequently Asked Questions (FAQs)

1) Is our website affected by CCPA?

Only if you collect and process data of California citizens and also if you meet at least any of the conditions mentioned below:

  • If your annual gross revenues are at least $25 million.
  • Also, if you obtain personal data of at least 50,000 Californian residents, households and devices every year.
  • Lastly, if you generate 50% of your annual revenue from the sale of California inhabitants’ personal data.

2) How to prepare data maps of California residents?

Data mapping is a process that involves identifying the type of information you accumulate, why and where you hold it, and with whom you share it. This process also states how the information is transferred and addresses many other questions related to data collection and its daily usage.

CCPA requires you to conduct data mapping of your users from California. Although this is not a strict obligation by the CCPA it is considered a good practice that mitigates the risk associated with the data of your users.

3) How can we make your website CCPA compliant?

CCPA requirements are clear and precise in relation to what a business must do to meet these by ensuring that they implement a CCPA compliant cookie consent solution on their website. The requirements include:

  • A privacy policy that must be updated on how, why, and what personal information is being processed and collected.
  • A privacy policy has to be updated by mentioning information on how your user can request access, change, or delete their data.
  • A business must introduce a verification method for a person’s identity.
  • A business must introduce a “Do Not Sell My Personal Information” link on its website’s home page. Through this, your users can easily prohibit you from selling their data.
  • You must have prior consent from 13-16 years olds before you sell their data. To process underage children’s (younger than 13 years) data, you must obtain consent from their parents/guardians.

4) Should I gain consent before collecting and processing my users’ data?

No, as a reversal, CCPA does not require you to obtain consent before collecting and processing your users’ data.