The California Consumer Privacy Act, also known as CCPA, becomes effective on January 1, 2020. Due to this upcoming legislation, the Internet has been flooded with California Consumer Privacy Act news, most of which have only partially covered the California Consumer Privacy Act applicability, rules, and possible penalties. It has prompted us to create a detailed guide on this act and provide you with every piece of information you should know before it takes effect.
What will the CCPA Accomplish?
The purpose of the California Consumer Privacy Act is quite simple. Its main goal is to secure personal information of individuals by obliging businesses to collect their consent before gathering or processing any sensitive or personal data. According to the broad consensus, the California Consumer Privacy Act will change the way businesses think about user data. This regulation will be the first consumer right to privacy act California has passed and can be a big step forward to ensuring data protection across the board, as numerous other states have also started working on their data regulations.
Is CCPA the California version of the GDPR?
If we were to make a direct California Consumer Privacy Act and GDPR comparison, there are some fundamental similarities between the two. Both laws are centered around the way personal information is processed. Both the California Consumer Privacy Act and the GDPR are created to protect individuals, and these acts apply to anyone who does business within each law’s sphere of control.
While there are a couple of core similarities between the two, in some cases, they serve to highlight the differences. As the broader of the two, the GDPR also covers legal bases and principles of personal data processing, specific data security measures, and codes of conduct. On the other hand, unlike the GDPR, the Consumer Privacy Act requires businesses to regularly publish up to date information on their personal information trading practices and to specifically allow individuals to opt-out of the sale of personal data.
With all of this in mind, in a lot of ways, the Consumer Privacy Act is California’s version of the GDPR. It openly resembles the European law in some important segments, but ultimately differs from it regarding some personal information requirements.
What should a CCPA-compliant Privacy Policy Contain?
This part of the California Consumer Protection Act will probably be the most difficult one for business to fulfill simply because it includes many different conditions that they need to meet in to be compliant with the CCPA. With that being said, the California Consumer Privacy Act text does include all of the information you need to use to ensure compliance. Here’s a quick California Consumer Privacy Act overview:
- CCPA Consumer Rights – the Consumer Privacy Act clearly states all of the consumer privacy rights. More importantly, the consumer privacy definition specifies that consumers have the right to access personal information. They can do so for free, twice a year.
- Requesting Access and Deletion – This requirement of the CCPA builds on the first provision by providing users with a reliable channel through which they can access and request the deletion of their personal data. It includes a web page and a toll-free number.
- “Do not Sell My Information” Page – Consumer Privacy Act compliant businesses that sell their users’ personal information must provide a web page through which users can opt-out of having their personal data sold.
- Categories of Collected Personal Information – Every business must provide a detailed list of categories of personal information they’ve collected over the previous twelve months. It includes personal data identifiers, employment, and education information, protected legal characteristics, and other categories of personal information listed in the California Consumer Protection Act.
- Sources of Personal Information – In addition to informing their customers what type of personal data they collect, The California Consumer Privacy Act also orders businesses to disclose their sources of personal information. To be more precise, the Consumer Privacy Act dictates that companies must only list the categories of sources, not name the source directly.
- Reason for Collecting Personal Information – Consumer privacy laws also dictate that businesses should tell consumers the purpose of collecting their personal data. This California Consumer Privacy Act provision is a considerably standard clause that is already set in many Privacy Policies.
- Personal Data You’ve Sold – If a business deals in selling personal information, it is required to list all of the categories of personal information it has sold in the past year.
- Personal Data You’ve Disclosed For Business Reasons – Finally, yet importantly, the CCPA Consumer Credit Protection Act requires every business to list every category of personal data it has disclosed for business reasons. The Consumer Privacy Act gives seven specific categories of activities, ranging from security and performing services to auditing and testing.
What are the penalties for non-compliance?
The CCPA applies to any for-profit business that collects data from Californian residents. In line with that, any company that fails to comply with the California Consumer Privacy Act regulations can be subjected to pre-set penalties. The size of the fine depends on whether the non-compliance was intentional or unintentional. If it happens to be the latter, the maximum penalty set in place by the CCPA is $2,500. On the other hand, if the violation is intentional, the Consumer Privacy Act prescribes a maximum civil penalty of $7,500. Taking both things into account, it remains unclear what exactly will be considered a violation, and when will the California Consumer Privacy Act consider it intentional.
How do I Make a Website CCPA compliant?
With all of this said, let’s get into probably the most important topic of this article, how to comply with the California Consumer Privacy Act. Undoubtedly, you will have some work to do to achieve this, but the amount of effort will depend on whether you’ve already implemented changes according to the GDPR. Here’s a detailed overview of what you can do to make your site compliant with the California Consumer Privacy Act.
You don’t have GDPR Compliance
If you’re starting from square one, the required steps are a bit more complicated and will require quite a bit more effort to complete. You will have to meet all of the GDPR and CCPA requirements in one go. It means that if you’re a business, service provider, or any “third party” defined in the CCPA, you will need to set all of the unique requirements stated in this California privacy law, as well as all other overlapping requirements also included in the GDPR. The section below includes some of the most critical consumer privacy rights the GDPR touches on.
You already have GDPR Compliance
If your website is already compliant with the GDPR, you won’t have to make massive changes to meet the CCPA compliance regulations. Since the GDPR is broader because it applies to all organizations, it covers most of the things you have to worry about regarding the California Information Privacy Act. To be GDPR compliant, among other things, your website should:
- Have a precisely written Privacy Policy
- Obtain consent to use cookies
- Provide access and deletion right to users’ personal information
- Have appropriate security systems
Regardless of which situation you find yourself in, the main focus of the Consumer Privacy Act and the GDPR is that site owners need to develop systems for their platforms, which can notify and protect users. They should also protect user personal information in case of data breaches, leaks, or any threats regarding personal data in general. There’s still more than enough time to make your site compliant with the California Consumer Privacy Act requirements, so make sure you are thorough and tick all of the boxes because it can save you a lot of trouble and headaches in the future.
To learn more about how Hideez Enterprise Solution can strengthen your CCPA compliance with appropriate authentication systems - schedule a demo: