The deadline for complying with the California Consumer Privacy Act (CCPA) has passed. Here’s everything you need to know about how to stay compliant with these new regulations.
Mario Alfaro, January 28th, 2020
In June 2018, California passed the California Consumer Privacy Act (CCPA). The CCPA demands that companies to show all the data they have about consumers residing in California, including a complete list of all third parties who have access to that data. This resulted in companies being forced to overhaul their data collection methods and caused turmoil for many.
Businesses that are inside or outside the state of California must be CCPA compliant now that the deadline, January 1, 2020, has passed. This is a positive move towards consumer rights, and one of the key features of these new regulations is that companies must notify consumers of the attempt to generate profits with their data, and also grant them a means to not participate in that monetization.
Despite having close to two years to prepare, many companies still struggle to comply. To give you a thorough understanding of what is expected and how to go about being compliant, the following guide covers:
The CCPA applies to any business that generates profits by selling, sharing, or collecting personal data from California residents. While this sounds a little vague, the CCPA does list criteria for companies that need to comply, including:
Before diving into how being compliant works, it is important to understand how the CCPA defines personal data. Below is the definition included in the act:
“Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
While this seems like an alarmingly vague way to define personal data, the CCPA elaborates on the definition. Below are the different categories of personal data as well as concrete examples of each:
Having all personal data well organized and handy is essential to being CCPA compliant. This is because consumers have the right to request all data a company has about them twice a year free of charge. This is just one of many consumer rights under the CCPA, others include:
These are the most important rights in terms of how they can impact your business. You can view the full list of consumer rights under the CCPA here.
Having access to all this information in a way that makes it possible for customers to exercise their rights can be challenging. To help you adapt to the new changes that CCPA brings, we put together a quick checklist of activities.
Have a registry of the personal data you collected about each customer over the past 12 months. When customers approach you with a request for their data, make sure the consultations are free of charge.
If one of your consumers asks you to disclose or delete personal data about them, be sure to respond within the first ten days to the request. The term can be extended to 45 days if necessary.
Provide your consumers with the option to decide what personal data you can store. This includes giving your consumers the right to use their right to opt-out of the sale of their data. In case they do decide to opt-out, refrain from discriminating against it. This includes providing equal benefits and service quality regardless of whether they opt-in or out.
If one of your consumers is between 13 and 16 years old, remember to get their consent before selling their personal data. In the case of children under 13, you must obtain consent from their parents.
One of the most important differences between CCPA and GDPR is that CCPA explicitly grants consumers the right to sue companies if unauthorized personnel have access to their personal data.
While the range of fines is from $100 and $750 for each event, consumers can claim much more depending on the damage done. In the exact terms the CCPA uses, consumers can:
“Recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”
Civil penalties should also be considered. The Attorney General can also prosecute a business for general violations of the CCPA, even if there has been no breach under CCPA. The maximum fine is $7,500 for unintentional violations and $2,500 when breaches are accidental.
If you are already familiar with the European Union’s General Data Protection Regulation (GDPR), you may have already noticed some similarities.
Both the CCPA and GDPR were created to give data subjects certain rights with respect to their personal data, including:
Both laws also contemplate the scope of extraterritoriality. This means that the regulations will affect any business in the world as long as certain requirements are met. For the CCPA, any company that trades with consumer data of over 50,000 California residents must comply. In the case of GDPR, it doesn’t matter where the company is as long as it offers services to individuals within the EU.
While there are many similarities in the objectives of both reforms, there is a big difference in fines. CCPA fines are imposed by the California General Attorney, ranging from $2,500 to $7,500 per violation. On the other hand, GDPR fines are imposed by the Data Protection Authority of EU member states, and range from 4% of a company’s global annual turnover up to €20 million.
When comparing CCPA and GDPR, both aim to improve transparency between consumers and businesses with regards to personal data use. For global companies in regulated industries where knowing your customer is required being compliant on both fronts is critical.
Using an identity verification partner can help you manage personal data in a way that is both secure and compliant with regulations like GDPR and the CCPA. Veriff helps international companies like Turo, Blockchain, and more verify users and meet regulatory demands. Learn more about how we can help by scheduling a demo with one of our product specialists.
Mario Alfaro is a Legal Counsel at Veriff. He has been working in the legal field since 2013. He has developed his career from the banking sector, immigration law and human rights, and now focused on issues related to data protection.