The California Consumer Privacy Act, or CCPA, is a bill designed to outline protections around consumer data for California residents. It is often compared to GDPR, the General Data Protection Regulation enacted in the EU. At their core, the two share many similarities. GDPR began the discussion around and facilitation of greater privacy controls. But CCPA is not exactly the same. Here are six things you need to know now about CCPA.
CCPA Goes Into Effect on January 1, 2020
CCPA Is Centered Around Personal Data
The definition of personal data within CCPA is fairly broad, defined as ” information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes, but is not limited to, “real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.” CCPA does not consider publicly available information to be classified as personal data.
CCPA Applies to Businesses Outside of California
For CCPA to apply, you must do business in California, including online business. You do NOT need a physical presence. You must also meet one of the criteria below:
- Has annual gross revenues in excess of $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
CCPA Has Key Differences From GDPR
The first is the inclusion of household protection vs. just individuals. This is a more broad look at personal data than GDPR. And while GDPR is obviously meant to protect EU residents, and CCPA for residents of California, that also means that CCPA is much more likely to be relevant to a company offering goods or services in the United States.
CCPA Entitles Consumers to Certain Rights
When it comes to personal data, CCPA mandates that consumer have the right to know what data is being collected about them, as well as whether that data is sold or disclosed, and to whom. Consumers also have the right to opt out of the sale of their data. And they have the right to access all of their personal data, and to ask for it to be deleted. If they do exercise their privacy rights, they are entitled to the same service(s) and pricing as someone who has not opted out.
CCPA Offer Guidelines For Business Compliance
The key ways to ensure compliance with CCPA are to:
- Safeguard the personal data of minors (under 13 years old) by obtaining parental consent, and to secure affirmative consent of minors 13-16 years old when requesting to share data.
- Include a link on your homepage that leads users to a section of your site that enables them to opt out of the sale of their personal data.
- Create a policy for processing requests for data that includes a toll-free telephone number
- Do not request opt-in consent again for 12 months after a California resident opts out.