What is CCPA?
In 2019, the California legislature passed a sweeping privacy law to protect consumers. The California Consumer Privacy Act (CCPA) became the most comprehensive privacy law in the country, but its complexity is still confusing to many businesses.
Familiar with GDPR? CCPA travels along the same lines, but with important differences — including a broader interpretation of personal information.
"Personal information" is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. — Section 1798.140(o)(1)
That naturally includes name, address, social security number, birthdate, and driver’s license number, but also reaches into biometric data, internet activity, and more.
Who it applies to
The new privacy law applies to businesses that serve consumers in California under at least one of the following conditions:
Have at least $25 million in annual revenue
Possess the personal data of more than 50,000 "consumers, households, or devices"
Earn more than half of their annual revenue selling consumers’ personal data
Certain information is considered exempt because it’s already protected by federal data security laws (such as health information under HIPAA, bank and financial information under Gramm-Leach-Bliley, and credit reporting under the Fair Credit Reporting Act), but personal information beyond the scope of these laws will still be covered by CCPA.
Rights and obligations
CCPA puts into effect a number of rights for California consumers.
Right to know: Transparency about what personal information is collected and how it is used at or before the point of collection.
Right to access: Every consumer may ask about how their personal information is collected, used and shared and receive a comprehensive and accessible report.
Right to deletion: Consumers in California can ask for their personal information to be deleted by the company.
Right to opt out (or opt in): Consumers will be able to ask a company not to sell their personal information. "Sell" is defined broadly here, “for monetary or other valuable consideration.”
Right to non-discrimination: Covered business can’t treat customers differently when and if they exercise their rights under the new California privacy act. For example, they can’t charge different prices to a consumer who’s opted out of having their information sold — unless these differences are “reasonably related” to the value of the personal information.
Right of action: In the case of a breach as defined by California law, consumers have the ability to sue a business in some circumstances.
Why you should be paying attention
But what does CCPA mean to you?
As a consumer, you’ll have more control over your personal information and more transparency about how it’s used.
As a business, the CCPA goes into effect on January 1, 2020, and enforcement will begin after a six-month grace period. If you’re not compliant yet, it’ll be important to get ahead of the game instead of playing catch up (and facing possible fines and penalties).
Even if the law doesn’t apply to your business due to your size or industry, your customers may come to expect the same level of protections they find elsewhere. If your company values include consumer privacy, voluntary compliance will demonstrate that practice to your customers and stakeholders.
How to comply
TrueVault is here to help. Contact us to talk about how your company can accomplish compliance with CCPA.