CCPA Overview & Introduction

What is the CCPA?

The California Consumer Privacy Act, known also as Assembly Bill 375 or CCPA, is a consumer privacy law. This law regulates how businesses handle, process, share and sell customer information and data. The government of the State of California enacted the CCPA with urgency in June 2018, and amended it in September 2018. It will go into effect starting on January 1, 2020.

Who does it protect?

The CCPA protects consumers that reside in or are otherwise residents of California. However, many anticipate that the CCPA will lead to broader implications concerning citizens outside of California.

The CCPA protects consumers and allows them to opt-out of having their information (both private and personal)  sold to businesses or entities. The CCPA also states that businesses must disclose the personal data sold or otherwise disclosed to other entities for business purposes or profit.

It protects users who do choose to opt-out from any discrimination on the business’ behalf as well. This includes pricing changes, differences in quality of products or service levels, and more.

Additionally, it contains specifications regarding the data collection of minors. It protects children and teenagers under the age of 16 from having their data or personal information sold without their consent, and in the case of minors under the age of 13, the parents or guardians of the child are required to give their consent before that data or information can be sold or traded.

What are the intentions?

What is the California Consumer Privacy Act, and what are the intentions of it?

The CCPA regulations are intended to protect privacy for any state of California residents and consumers, including the privacy of minors below the age of 16.

The CCPA privacy regulations allow consumers to know what personal data is being collected about them by your business. It also allows your customers and users to know whether their data and information are being sold or otherwise disclosed and with whom these transactions are taking place.

With the help of the CCPA, your users and customers can decide whether they want their information and data sold and the CCPA will legally allow them to opt-out of having their information sold to other entities. The CCPA will also allow your customers to request access to see and monitor what data and information your business has collected about them.

Once your customers have access to this data, they can request that this data be deleted or removed from the database.

Legally, your business will be mandated to accept, process, and ultimately comply with the request. You are not legally allowed to make this process difficult for your customers or users of your website. You must provide an easy link from your website home page for consumers that will legally ban you from selling their information on your website, and you cannot require that users create any kind of account to request removal or deletion of their data.

Additionally, your business cannot in any way retaliate or punish a user for opting out of having their information sold or requesting that information be removed or deleted from your database.

The intentions behind the CCPA are to protect any consumer, user, or customer that resides in the law’s acting state, California. However, this does not mean it is only limited to businesses based in California. Any business that has consumers, customers, or users in California that collects and sells data or makes a profit exceeding $25 million in gross annual revenue per year is subject to this law.

The CCPA is enforceable not only by the Attorney General of California but can also be acted upon or enforced by private litigants. Take notice, however, that there is technical terminology within the legislation that was included in regards to when and how a consumer can bring about a private action under the statute. These terms provide any covered businesses with opportunities to cure, fix or revamp certain instances of non-compliance.

Most notably, the Act includes the following:

            “Enforcement by Attorney General: Violations of the CCPA are enforceable by the California Attorney General, which is authorized to pursue civil penalties of up to US $7,500 per violation.

            “Limited Private Right of Action for Unauthorized Disclosure of Data: Consumers may bring a private right of action against covered businesses in connection with ‘certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s non-encrypted or non-redacted personal information’ if the covered business has failed to implement and maintain reasonable security measures to protect such information. However, prior to commencing an action for statutory damages (US $100 - $750 per incident), the consumer must provide the covered business with 30 days to cure the alleged violation and to respond with a written statement that the violation has been cured.”

Additionally, the CCPA has included clarifications that help to alleviate or entirely avoid any conflicts with other regulations, including HIPAA, the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act and the California Financial Information Privacy Act.

The additional revisions to the CCPA include:

• The consumer has a right to litigation under CCPA that is only applicable to data breaches, not to violations under any additional sections
• The CCPA will go into effect on January 1, 2020, and will preempt all relevant local laws
• The Attorney General of California’s general enforcement of the CCPA will begin “six months after the publication of final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”

What Does the CCPA Change and What Does it Do?

The CCPA does several things. Keep in mind that this list may change, as the legislation of the law itself may change in the future. The law may extend to cover more privacy features and factors or may remain stagnant depending on its success and use regarding compliance or the lack thereof.

What Does CCPA Stand For?

The CCPA, otherwise known as the California Consumers Protection Act of 2018, is the most recent law protecting personal data. It was passed by the State of California as a response to the increasing role that personal data plays in contemporary business practices. It also has implications regarding consumer personal privacy concerning the collection, use, sale, and protection of personal information.

What Happens to CalOPPA and Other California Privacy Laws from 2020? Will I Still Have to Comply with Them?

The CCPA is not intended as, nor will it be used as a replacement for any existing California privacy law. All of the privacy laws currently scheduled for activity will go into effect starting on January 1, 2020. This means that you will have to comply with all of them.

CCPA was written and meant to complement the current personal data protection laws, not replace them. CalOPPA and other protection laws will continue to exist. That means that you will still be obliged to meet those requirements in addition to the ones that CCPA enacts.

The introduction of the CCPA does not change anything in terms of your duties in complying with other California personal data protection laws. This includes CalOPPA, Shine the Light, and the Privacy Rights for California Minors in the Digital World Act.

What’s the Difference Between CalOPPA and CCPA?

This is a valid question, as there are similarities between CalOPPA and CCPA. But, they also have notable differences as well.

1.    Privacy Policies

Including information on how what and why you collect and process the personal information of your consumers will satisfy requirements outlined by both CalOPPA and CCPA. However:

• CalOPPA requires you to provide specific information in your privacy policy as it relates to how the website responds to “do not track” signals, the effective date of the privacy policy, and how you intend to inform your users and consumers of any changes in your privacy policy.

• CCPA has slightly different though still important requirements that you need to keep in mind and adhere to. You must include information about any sales of your users’ personal information and provide a way for them to opt-out of the process. You must also put methods of verification of the identity of the person requesting access, changes or deletions, and erasure of data. You must have methods in place for users to submit such requests as they are related to their personal information. Lastly, you must be familiar with whom the law applies.

2.    Prior Consent

CalOPPA does not require that you obtain prior consent in any case. CPA, however, does require that you obtain prior consent from minors before selling their data. If the minor is between the ages of 13 and 16, you must obtain consent from them to share or sell their information and personal data. If they are under the age of 13, consent must be given by the parent or guardian.

3.    Not Selling Personal Data

CalOPPA does not have any phrasing or reference to the sale of any consumer personal data. CCPA will require that you include a “do not sell my personal data” link somewhere on your home page. When a user clicks and completes the request, it means that you will not be permitted to sell any of their data that you have collected on that consumer.

Who Does CCPA Apply To?

The CCPA applies to any company where any of the following facts are true:

• The company collects personal data of California residents
• The company, or any parent or subsidiary:
  • Exceeds an annual gross revenue of at least $25 million
  • Obtains the personal information of at least 50,000 California households, residents, or devices
  • Is a business has at least 50% of its annual revenue generated from selling the personal information of California residents

If you are unclear, a California resident is defined by California law as any person who resides in California for any reason other than a temporary or transitory purpose, or is domiciled in California but is outside of the state for temporary or transitory purposes.

It should be clarified that the CCPA does not only apply to businesses that are based in California. It can be applied to any company in the world.

Does CCPA Apply to SME Businesses?

CCPA applies to any business that meets any of the aforementioned criteria, regardless of the size of the business. The CCPA does not care if a business is small or large, only if it meets the criteria outlined in its legislation.

What Are the Penalties for Non-Compliance?

If you decide to ignore the CCPA, you will be in non-compliance. Non-compliance will result in hefty fines and potential loss of business, as your customers may not trust you if you cannot be bothered to follow the law.

The Attorney General may initiate a civil case against you and your business if you continue your non-compliance after thirty days of originally being notified that there was a problem. This will result in fines of up to $7,500 per violation.

For every user whose CCPA-promised rights were violated with your non-compliance, you will receive a fine. So if your non-compliance violated the rights of 1,000 users, you would be faced with a fine of up to $7,500,000.

Is CCPA the California Version of the GDPR?

In short, no. CCPA may have been influenced by the introduction of the GDPR, but CCPA is not as extensive as the GDPR. GDPR does have some similarities with recently-introduced privacy laws, but there are some substantial differences even in those comparisons.

We Are GDPR-Compliant; Are We Also CCPA Compliant?

Being GDPR compliant does not automatically mean that you also meet CCPA compliance requirements. There is a high likelihood that if you are GDPR compliant, you may meet some of the requirements of CCPA, but it is also likely that you will have more work to do to be considered compliant with the CCPA.

You will need to make the appropriate adjustments to your privacy policy, including a “do not sell my personal information” link on your home page, establishing methods for data access, change and erasure requests, establishing identification verification methods, and establishing methods for obtaining prior consent by minors before selling or sharing their data.

What is Personal Data According to the CCPA?

Personal data, as defined by the CCPA, is any information that identifies, relates to, describes, is associated with, or could reasonably be linked to, directly or indirectly, a particular consumer or household.

Personal information includes, but is not limited to, any names, email addresses, biometric data, IP addresses, Internet of Things information geolocation data, professional or employment information, and more.

Publicly available information is not considered to be personal information and is therefore not covered under the CCPA.

What Should a CCPA-Compliant Privacy Policy Contain?

When you collect and process a user’s personal information, you need to make sure that your privacy policy is compliant with the CCPA. Ensure your policy includes, but is not limited to:

• What kind of information you collect and process
• Why you collect and process this information
• How you or your business collect and process the information
• How your users can request access, changes, removal, or deletion of their data
• What your method is for verifying the identity of users who submit requests
• Sales of users’ data and how they can opt-out of having their data sold

Do I Need to Obtain Prior Consent?

Unlike with other laws regarding user privacy,  CCPA does not require you to obtain consent before collecting and processing user data. This is, of course, different in the case of minors under the age of 16.

Can We Sell Our User’s Personal Data Freely?

CCPA doesn’t limit or prevent you from selling your users’ data, but it does oblige you to allow your users to opt-out from having their data sold or traded.

Any user that wishes to opt-out from having their data sold can click on the “do not sell my personal information” link on your home page, and you will be banned from selling that user’s data and personal information. You will be encouraged to make this process as easy and as simple as possible for the users of your website. You will not be allowed to require that a user create an account to opt-out of having their data and information sold.

For minors between the ages of 13 and 16, consent has to be obtained before you can sell their personal information or data. For minors under the age of 13, consent must be obtained from a parent or guardian.

Otherwise, you are free to sell any user’s data and information so long as they have not opted out and are not a minor.

Contact MatrixPoint for Assistance

Feel free to schedule a consultation with MatrixPoint to learn more about our data privacy management solutions. We’re prepared and capable of helping you understand and prepare for the upcoming CCPA regulations.