• What is CCPA Compliance?

    The California Consumer Privacy Act, as per the legislators, is the very first consumer privacy act of the country. CCPA is GDPR-like protection which no other US state has created for its people. Although, the CCPA compliance is as important as the GDPR’s. 

    The Privacy Act contains a transparency right which says, a company must inform consumers about how it collects its data and share it. It also facilitates a common person by granting him a right to access his or her data, delete and opt-out.  

    Dig a little deeper

    The California Consumer Privacy Act is merely designed for the protection of data privacy rights of Californian citizens. Under this law, companies are obliged to provide more information to the consumers regarding how their data is being handled and to whom it is shared. 

    Most of the consumers do not even know about the sharing and selling or their personal data. This Act addresses this issue and ensures that they are given a chance to opt-out if they have any disapproval regarding the terms or in case they change their mind. 

    When will the CCPA go into effect?

    Fundamentally, the legislation was approved by Governor Brown in June of 2018, and it will come into force on January 1, 2020. 

    From the outset of the CCPA, the focus has been on the protection of consumer privacy, compared to the broad scope of the GDPR. This means employee data does not full under the protections set out under the CCPA. 

    Who will get affected by CCPA?

    It covers any business which collects and sells consumer personal information. This Act has some exemptions as well. If a company meets one or more of the following, it is required for CCPA compliance:

    • A company’s annual revenue should be $25 million more or less
    • It must process the personal data of more than 50,000 consumers, households or devices.
    • It must earn more than half of its annual revenue by selling consumer’s personal data. 

    The lawmakers behind CCPA exempted certain health and financial companies that already lies under federal data security law. CCPA compliance is not applicable to: 

    • Health providers and insurers are already governed under the Health Insurance Portability and Availability Act (HIPAA)
    • Banks and financial companies covered by the Gramm-Leach-Bliley Act
    • Credit reporting agencies (Equifax, TransUnion, etc.) that are under the Fair Credit Reporting Act.

    CCPA and personal information

    The CCPA is applicable to personal information that, “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

    In this world of data compliance laws, this is about as broad as personally identifiable information (PII) gets. The words “relate” or “reasonably linked” open up an extensive class of non-traditional identifiers, beyond name, address, social security number.

    CCPA compliance

    To make sure that companies have understood what is going on, the lawmakers listed a few specific examples, including:

    • Email address
    • Online handles
    • IP address
    • Biometric information
    • Geolocation data
    • Browsing and search history

    Frequently Asked Questions:

    Q,No.1 Does CCPA apply to SME businesses?

    Size of the organisation does not really matter here. However, there are certain criteria set by CCPA, if you meet them, then, CCPA applies to you. The criteria is mentioned above. 

    Q.No.2 What are the penalties for non-compliance?

    It is a Privacy Act; obviously, there will be nasty consequences if you don’t comply with this legislation. If you are notified as being non-compliant, you have to take corrective measures within 30 days. Otherwise, the Attorney General can initiate a civil case against you. The expected risk of fines can reach up to $7500 per violation. 

    If you violate the CCPA-guaranteed rights of 1000 users, you can probably receive a fine of $7500  for each user whose rights have been violated.

    Q.No.3 Is CCPA the California version of the GDPR?

    No, this is not the case. The government of California has used this momentum created by the introduction of GDPR, but it is not as extensive as the GDPR. The GDPR has similarities with other protection laws, but they have significant differences.

    Q.No.4 We are GDPR-compliant. Does it mean that we are CCPA-compliant as well?

    Being a GDPR compliant doesn’t really mean that you have to comply with CCPA as well. Whoever is GDPR compliant, automatically meets some parts of the CCPA already due to the broader scope of GDPR.  However, there are still discrepancies between the two means there are a few additional steps that need to be taken to be CCPA compliant.

    First, you will have to make amendments in your privacy policy and include a “Do Not Sell My Personal Information” link on your home page. Moreover like GDPR there needs to be mechanisms for requests for access, change, and erasure of data, establish a process for verification of the identity of the person making a data-related request, and establish a method for obtaining prior consent by minors before selling their personal data.

    Protect yourself, get compliant fast.

    Scan & Audit your Cookies

    Scan your website Cookies, generate a fully-customisable Cookie Consent Banner
    & create a Cookie Policy – FREE