Complying with the California Consumer Privacy Act

In June 2018, California passed the California Consumer Privacy Act (CCPA). The CCPA demands that companies to show all the data they have about consumers residing in California, including a complete list of all third parties who have access to that data. This resulted in companies being forced to overhaul their data collection methods and caused turmoil for many.

Businesses that are inside or outside the state of California must be CCPA compliant now that the deadline, January 1, 2020, has passed. This is a positive move towards consumer rights, and one of the key features of these new regulations is that companies must notify consumers of the attempt to generate profits with their data, and also grant them a means to not participate in that monetization.

Despite having close to two years to prepare, many companies still struggle to comply. To give you a thorough understanding of what is expected and how to go about being compliant, the following guide covers:

1. The companies affected by the CCPA
2. How the CCPA defines personal data
3. Consumer rights under CCPA
4. Your CCPA compliance checklist
5. CCPA fines
6. CCPA vs. GDPR
7. How outsourcing identity verification can help

1. The companies affected by the CCPA

The CCPA applies to any business that generates profits by selling, sharing, or collecting personal data from California residents. While this sounds a little vague, the CCPA does list criteria for companies that need to comply, including:

1. They store personal data from 50,000+ consumers, devices, or households
2. Over 50% of its annual revenue comes from the sale of personal data
3. Its annual gross revenues exceed $25 million

2. How the CCPA defines personal data

Before diving into how being compliant works, it is important to understand how the CCPA defines personal data. Below is the definition included in the act:

“Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

While this seems like an alarmingly vague way to define personal data, the CCPA elaborates on the definition. Below are the different categories of personal data as well as concrete examples of each:

1. Identifiers: real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
2. Characteristics of protected classifications under California or federal law: age, gender expression, sexual orientation, race, religion, gender identity.
3. Commercial information: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
4. Personal data from California consumers that businesses collect: address, number of kids, how fast a consumer drives, consumer’s personality, sleep habits, biometric and health information, financial information, geolocation information, social network, etc.
5. Biometric information: fingerprint, height, facial recognition, voice, hair color, etc.
6. Internet or other electronic network activity information: browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement
7. Geolocation data
8. Audio, electronic, visual, thermal, olfactory, or similar information.
9. Professional or employment-related information
10. Education information
11. Interferences: information identified to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

3. Consumer rights under the CCPA 

Having all personal data well organized and handy is essential to being CCPA compliant. This is because consumers have the right to request all data a company has about them twice a year free of charge. This is just one of many consumer rights under the CCPA, others include:

• The right to say no to the sale of your personal data
• Right to sue companies who collected your data when a breach occurs
• The right to request the deletion of your personal data
• The right to know the purpose of collecting an individual’s personal data
• The right to know the sources of information where consumer personal data was acquired
• The third parties with whom personal data is shared

These are the most important rights in terms of how they can impact your business. You can view the full list of consumer rights under the CCPA here.

4. Your CCPA compliance checklist

Having access to all this information in a way that makes it possible for customers to exercise their rights can be challenging. To help you adapt to the new changes that CCPA brings, we put together a quick checklist of activities.

4.1. Keep personal data registries

Have a registry of the personal data you collected about each customer over the past 12 months. When customers approach you with a request for their data, make sure the consultations are free of charge.

4.2. Be responsive

If one of your consumers asks you to disclose or delete personal data about them, be sure to respond within the first ten days to the request. The term can be extended to 45 days if necessary.

4.3. Make sure they can opt-out

Provide your consumers with the option to decide what personal data you can store. This includes giving your consumers the right to use their right to opt-out of the sale of their data. In case they do decide to opt-out, refrain from discriminating against it. This includes providing equal benefits and service quality regardless of whether they opt-in or out.

4.4. Make sure you get consent

If one of your consumers is between 13 and 16 years old, remember to get their consent before selling their personal data. In the case of children under 13, you must obtain consent from their parents.

4.5. Keep your privacy policy up to date

Remember to update your privacy policy and include all the modifications that the CCPA demands.

5. CCPA fines

One of the most important differences between CCPA and GDPR is that CCPA explicitly grants consumers the right to sue companies if unauthorized personnel have access to their personal data. 

While the range of fines is from $100 and $750 for each event, consumers can claim much more depending on the damage done. In the exact terms the CCPA uses, consumers can:

“Recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”

Civil penalties should also be considered. The Attorney General can also prosecute a business for general violations of the CCPA, even if there has been no breach under CCPA. The maximum fine is $7,500 for unintentional violations and $2,500 when breaches are accidental.

6. CCPA vs. GDPR

If you are already familiar with the European Union’s General Data Protection Regulation (GDPR), you may have already noticed some similarities.

Both the CCPA and GDPR were created to give data subjects certain rights with respect to their personal data, including:

• The right to access
• The right to be informed
• The right to portability
• The right to deletion

Both laws also contemplate the scope of extraterritoriality. This means that the regulations will affect any business in the world as long as certain requirements are met. For the CCPA, any company that trades with consumer data of over 50,000 California residents must comply. In the case of GDPR, it doesn’t matter where the company is as long as it offers services to individuals within the EU. 

While there are many similarities in the objectives of both reforms, there is a big difference in fines. CCPA fines are imposed by the California General Attorney, ranging from $2,500 to $7,500 per violation. On the other hand, GDPR fines are imposed by the Data Protection Authority of EU member states, and range from 4% of a company’s global annual turnover up to €20 million.

7. How an identity verification partner can help

When comparing CCPA and GDPR, both aim to improve transparency between consumers and businesses with regards to personal data use. For global companies in regulated industries where knowing your customer is required being compliant on both fronts is critical.

Using an identity verification partner can help you manage personal data in a way that is both secure and compliant with regulations like GDPR and the CCPA. Veriff helps international companies like Turo, Blockchain, and more verify users and meet regulatory demands. Learn more about how we can help by scheduling a demo with one of our product specialists.