In 2018, the California legislature passed a sweeping privacy law to protect consumers. The California Consumer Privacy Act (CCPA) became the most comprehensive consumer privacy law in the country.
Familiar with GDPR? CCPA travels along the same lines, but with important differences — including a broader definition of personal information.
"Personal information" is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. — Section 1798.140(o)(1)
That naturally includes name, address, social security number, birthdate, and driver’s license number, but also reaches into biometric data, internet activity, and more.
Who it applies to
CCPA applies to businesses in California that satisfy at least one of the following conditions:
-
Have at least $25 million in annual revenue
-
Buy, sell, or use for a commercial purpose the personal information of 50,000 or more "consumers, households, or devices"
-
Earn more than half of their annual revenue selling consumers’ personal data
Certain information is considered exempt because it’s already protected by federal privacy laws (such as health information under HIPAA, bank and financial information under Gramm-Leach-Bliley, and credit reporting information under the Fair Credit Reporting Act), but personal information outside the scope of these laws will still be covered by CCPA.
Rights and obligations
CCPA puts into effect a number of rights for California consumers.
Right to Know: The right to request that a business inform a consumer about what personal information is collected and how it is shared.
Right to Delete: The right to request that a business delete information provided by the consumer.
Right to Opt-Out: The right to ask a company not to sell consumer personal information. "Sell" is defined broadly here, and includes exchanging personal information “for monetary or other valuable consideration.”
Right to Non-discrimination: Covered businesses can’t treat consumers differently when and if they exercise their rights under the CCPA. They cannot, for example, charge different prices to a consumer unless the differences are “reasonably related” to the value of the personal information.
Why you should be paying attention
But what does the CCPA mean for you?
As a consumer, you’ll have more control over your personal information and more transparency about how it’s used.
As a business, if you’re not compliant yet, it’ll be important to get ahead of the game instead of playing catch up (and facing possible fines and penalties).
Even if the law doesn’t apply to your business due to your size or industry, your customers may come to expect the same level of protections they find elsewhere. If your company values consumer privacy, voluntary compliance will demonstrate your commitment.
How to comply
Start by creating an information map of your business's information collection and sharing practices, and be sure to include this information and required CCPA disclosures in your company's online privacy policy.
TrueVault believes that privacy policies are a way to show consumers we value them. Your privacy policy is one way to express your philosophy, approach, and values. The CCPA is complex, and may seem onerous at times, but its core duty is to protect consumers.
TrueVault is here to help. Contact us to talk about how your company can accomplish compliance with CCPA.
