CCPA Compliance: an ultimate guide to get compliant

The California Consumer Privacy Act (CCPA), as per the legislators, is the very first consumer privacy act within the USA and is similar to the General Data Protection Regulation (GDPR). The CCPA compliance consists of a transparency right which stipulates that a company must inform consumers about how it collects its data and shares it. It also facilitates a common person by granting him/ her a right to access his/ her data, delete it or opt-out. 

Companies must ensure that they implement a CCPA compliant cookie consent solution on their website to become compliant.

Dig a little deeper about cCPA compliance

The California Consumer Privacy Act (CCPA) is merely designed for the protection of data privacy rights of Californian citizens. Under this law, companies provide more information regarding data.

Most consumers do not even know about sharing and selling their personal data. The CCPA addresses this issue. It makes sure that customer gets option of opt-out if he changes his mind.

ccpa compliance
When did the CCPA come into effect?

Fundamentally, Governor Brown approved it in June of 2018, and it came into force on January 1, 2020.

From the outset of the CCPA, the focus has been on the protection of consumer privacy, compared to the broad scope of the GDPR. This means employee data does not fall under the provisions set out by the CCPA.

Who will be affected by CCPA?

It covers any business which collects and sells consumer personal information. The CCPA provides some exemptions as well. If a company meets one or more of the following, it is required to comply with the CCPA:

  • A company’s annual revenue should be $25 million more or less.
  • It must process the personal data of more than 50,000 consumers, households or devices.
  • It must earn more than half of its annual revenue by selling consumer’s personal data.

CCPA compliance is not applicable to:

  • Health providers and insurers
  • Banks and financial companies
  • Credit reporting agencies (Equifax, TransUnion, etc.)
CCPA and personal information

Personal information, direct or indirect, is of subject for CCPA.

So, In this world of data compliance laws, this is about as broad as personally identifiable information (PII) gets. The words “relate” or “reasonably linked” opens up an extensive class of non-traditional identifiers, beyond name, address and social security number.

To ensure that companies have understood what is going on, the lawmakers listed a few specific examples, including:

  • Email address
  • Online handles
  • IP address
  • Biometric information
  • Geolocation data
  • Browsing and search history
ccpa compliance

Frequently Asked Questions (FAQs):

Q1, Does CCPA apply to SME businesses?

Size of the organization does not really matter here. However, there are certain criteria set by the CCPA, if you meet these, then CCPA applies to you.

Q2, What are the penalties for non-compliance with CCPA?

It is a Privacy Act; obviously, there will be nasty consequences if you don’t comply with this legislation. If you are notified as being non-compliant, you have to take corrective measures within 30 days. Otherwise, the Attorney General can initiate a civil case against you. Fines can reach up to $7500 per violation.

Q3, Is CCPA similar to the GDPR?

No, this is not the case. The government of California has used this momentum created by the introduction of GDPR, but it is not as extensive as the GDPR. The GDPR has similarities with other privacy laws, but they have significant differences.

Q4, If you are GDPR-compliant than does it mean that you are CCPA-compliant as well?

Being a GDPR compliant doesn’t really mean that you are compliant with CCPA. Whoever is GDPR compliant, automatically meets some aspects of the CCPA already due to the broader scope of GDPR. However, there are still discrepancies between the two laws and there are a few additional steps that need to be taken to be CCPA compliance follower.

Firstly, you will have to make amendments in your privacy policy and include a “Do Not Sell My Personal Information” link on your home page. Moreover like GDPR, there need to be mechanisms for requests for accessing, changing and erasing data, establishing a process for verification of the identity of the person making a data-related request and establishing a method for obtaining prior consent by minors before selling their personal data & becoming CCPA compliant.