The California Consumer Privacy Act, as per the legislators, is the very first consumer privacy act of the country. CCPA is GDPR-like protection which no other US state has created for its people. Although, the CCPA compliance is as important as the GDPR’s.
The Privacy Act contains a transparency right which says, a company must inform consumers about how it collects its data and share it. It also facilitates a common person by granting him a right to access his or her data, delete and opt-out.
The California Consumer Privacy Act is merely designed for the protection of data privacy rights of Californian citizens. Under this law, companies are obliged to provide more information to the consumers regarding how their data is being handled and to whom it is shared.
Most of the consumers do not even know about the sharing and selling or their personal data. This Act addresses this issue and ensures that they are given a chance to opt-out if they have any disapproval regarding the terms or in case they change their mind.
Fundamentally, the legislation was approved by Governor Brown in June of 2018, and it will come into force on January 1, 2020.
From the outset of the CCPA, the focus has been on the protection of consumer privacy, compared to the broad scope of the GDPR. This means employee data does not full under the protections set out under the CCPA.
It covers any business which collects and sells consumer personal information. This Act has some exemptions as well. If a company meets one or more of the following, it is required for CCPA compliance:
The lawmakers behind CCPA exempted certain health and financial companies that already lies under federal data security law. CCPA compliance is not applicable to:
The CCPA is applicable to personal information that, “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
In this world of data compliance laws, this is about as broad as personally identifiable information (PII) gets. The words “relate” or “reasonably linked” open up an extensive class of non-traditional identifiers, beyond name, address, social security number.
To make sure that companies have understood what is going on, the lawmakers listed a few specific examples, including:
Q,No.1 Does CCPA apply to SME businesses?
Size of the organisation does not really matter here. However, there are certain criteria set by CCPA, if you meet them, then, CCPA applies to you. The criteria is mentioned above.
Q.No.2 What are the penalties for non-compliance?
It is a Privacy Act; obviously, there will be nasty consequences if you don’t comply with this legislation. If you are notified as being non-compliant, you have to take corrective measures within 30 days. Otherwise, the Attorney General can initiate a civil case against you. The expected risk of fines can reach up to $7500 per violation.
If you violate the CCPA-guaranteed rights of 1000 users, you can probably receive a fine of $7500 for each user whose rights have been violated.
Q.No.3 Is CCPA the California version of the GDPR?
No, this is not the case. The government of California has used this momentum created by the introduction of GDPR, but it is not as extensive as the GDPR. The GDPR has similarities with other protection laws, but they have significant differences.
Q.No.4 We are GDPR-compliant. Does it mean that we are CCPA-compliant as well?
Being a GDPR compliant doesn’t really mean that you have to comply with CCPA as well. Whoever is GDPR compliant, automatically meets some parts of the CCPA already due to the broader scope of GDPR. However, there are still discrepancies between the two means there are a few additional steps that need to be taken to be CCPA compliant.