The rise in technology has increased the risks of data breaches in organizations globally. Criminals use sophisticated methods to access the institutions’ private information which significantly compromises the privacy and confidentiality of the clients.
Various regulatory bodies have developed mechanisms to protect the personally identifiable information in organizations globally. In 2018, the European Union General Data Protection Regulation (GDPR) was formulated, and all institutions were required to comply. In 2019, the California Consumer Privacy Act (CCPA) was enacted to ensure that all companies in the region protect all the data that they collect from their clients.
However, the majority of the companies in California are yet to understand all the requirements of the CCPA regulations. If you’re frustrated by your inadequacy of these regulations, then you shouldn’t worry. This article will navigate through the CCPA to simplify it and help you understand the fine details.
What is CCPA and Why Was It Enacted?
With the increasing cases of data breaches, California enacted CCPA to protect the Personally Identifiable Information of clients’ data in various organizations. Unlike Europe, the United States lacks comprehensive data privacy regulations which expose the clients’ private information to misappropriation and misuse by criminals.
Cognizant of these risks, a non-governmental organization called the Californians for Consumer Privacy submitted suggestions to regulate the use of private data online. In November 2017, the Attorney General received these recommendations which have progressively led to the enactment of the CCPA.
The Attorney General’s recommendations were considered and debated by the California legislature. In June 2018, the bill was passed. Three months later, Governor Jerry Brown signed the bill to the California Civil Code thus obliging organizations to follow the regulations.
California Privacy Requirements: What does it mean to Your Business?
This law focuses on controlling the client’s data in organizations. It introduces requirements that make it difficult for unauthorized individuals to access private data within an institution. While you may be overwhelmed by the regulations, you need to understand the benefits that it’ll have to your business. Your clients will gain more confidence in your operations which will increase your productivity.
The Implementation Period
You’ve been provided with a grace period of up to January 1, 2020, to understand the regulations of this law. At the expiration of this period, the laws will become active. At this stage, it’ll be mandatory for you to comply with all the regulations and failure will mean your business will penalized.
Also, within the grace period, you’ll be required to read and understand the regulations. If you have any inquiries, you’re expected to pass them to the office of the Attorney General. Between Jan 1 and July 2, 2020, the Attorney General will publish additional regulations to answer your inquiries and ensure clarity of the law.
Which Businesses Are Regulated By CCPA?
For your business to qualify for regulations by CCPA, it must have one of the following requirements:
- Generate a minimum of $25 million annual gross revenue
- Must receive or share personal information for a minimum of 50,000 Californian residents
- Must get 50% of its revenues from selling personal information of residents
The law exempts non-profit organizations and all the businesses that do not meet the above-listed requirements.
Implications of CCPA
This law intends to protect California residents from misuse of their personal information by cybercriminals. It applies both to the businesses within California and those outside of the State. For example, if you have an online company based in New York, but you collect, store, or sell personal data for California people, then you’ll be subjected to the regulations.
Failure to adhere to these regulations carries significant adverse effect including a law case and fines. The incorporation of the law under the California Civil Code ensures that anybody who breaches the data security requirements is subjected to a legal suit. When this happens, businesses risk paying fines that may range between $100 and $ 750 for every California resident whose data was compromised.
Additionally, the court will require you to pay a fine of approximately $7,500 if you violated the regulations intentionally. However, the judge will be relatively lenient if it’s established that you unintentionally violated the policies. In such a case, you’ll be required to pay a fine of up to $2,500.
Categories of Personal Information
The CCPA regulations are classified into 12 broad categories based on the client’s information that the business collects and maintains. They include:
- Identification information. This may include your postal address, real name, email address, and IP address. Also, any company that collects the account name, ID number, passport number, or social security number falls under this category
- Any information that’s defined as personal by the Civil Code 1798.80
- Anything that shows the client’s race, gender, ethnicity, or any other protected category as enumerated in California or the federal law
- Any information that divulges the employment history of the client
- Biometric data
- Any commercial information that organizations collect from the customers. The data may include the property records and the purchasing history
- Any client’s information that the company will collect on their websites. This includes search history, advertisements, cache, and browsing history
- Geological data
- Any visual, audio, thermal, electronic, or olfactory information
- Psychometric data
- All the inferences that have been obtained based on the 10 types of information outlined
- Any information that has been collected on behalf of the minors
Personal Information Provided Upon Request
Every organization in California is obliged to provide all the personal data it collects upon client’s request. To achieve this, the CCPA stipulates that businesses should provide a toll-free number and a site where all the people interested in getting their information can make requests. The regulations require that the company deliver the required data within 45 days from the day of request.
Right to Know About Sold/Disclosed Personal Information
While it’s possible for a company to share information with a third party, it should provide the details of such an action upon consumer’s request. They should give the full identity of the vendors as well as their contacts. Also, they should satisfactorily explain the reason for sharing the data with a third party.
Complying with “Right to Know” and “Disclosure” Requirements
The companies are obliged to verify all the inquiries of customer’s information before disclosing it. This exercise ensures that the data is only provided to the rightful owner of the data. Also, the company should store accurate data preceding 12 months.
The regulations stipulate that any company that shares customers’ data should provide the name and address of the third parties that receive information for the preceding 12 months.
Can You Say No to Sale of Personal Information?
Yes, CCPA provides an opportunity for the consumer to refuse the sale of their data. Once the client opts out, the business cannot sell the information under any circumstances.
Complying with Right to Opt Out
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.