CCPA

The California Consumer Privacy Act (CCPA) is a piece of data privacy legislation that applies to most businesses that process the personal data of California residents. The CCPA gives California residents a certain amount of control over the personal data that businesses collect about them. It was enacted in 2018 and goes into effect officially in 2020. The purpose of the act is to protect the rights of California residents in regard to having their data sold by companies. While you may not operate your business in the state or have any customers or clients that you know of, this still applies to you.

f your company has a website, people from all over the world can access it. Even if they only use your website one time. It is important to remember that you have a responsibility to be compliant with all privacy laws and regulations that may impact the people who use your business or services, purchase any products you sell, and so on. The CCPA actually outlines the businesses that are subject to the regulations that the act imposes.

If a for-profit business meets any of the following criteria, they are subject to the CCPA:

• The business in question has a gross annual revenue of $25 million or more.
• The business purchases, receives or sells personal data from 50,000 sources or more. Sources include individuals, households, or devices.
• The business earns 50% or more of its annual revenue through the sales of personal data.

On top of these criteria, the language of the CCPA also suggests that any business that handles personal data from at least four million people may face additional obligations in the future. The act outlines the rights of Californians along with a pretty substantial list of obligations for businesses that fall under it; and, of course, could result in thousands of dollars of fines if those obligations are not met.

Rather than discuss the individual rights that it covers, we are going to go over the obligations that it imposes on businesses. Under the CCPA, every business must do the following:

• Notify customers in advance when personal data will be collected.
• Make it easy for customers to opt-out of having their data sold.
• Respond to consumers exercising their rights under the act in a specific timeframe.
• Verify the identity of consumers that make requests under the act.
• Disclose any financial incentives for collecting and selling the data. In addition, they must disclose how the value of the data was calculated and the reason that these incentives should be permitted under the act.
• Keep record of any requests and responses from consumers that are exercising their rights under the act.
• Maintain an inventory of data and track the flow of that data.
• Disclose all data privacy policies and how they are applied in practice.

Key Provisions of the CCPA:

The CCPA grants consumers the right to request a business to disclose any of the following:

• All data collected about the consumer
• The categories of sources from which that information is collected
• The business purpose for collecting or selling that information
• Third parties with which the information is shared

In this case, business purpose is defined as:

• Auditing or verification related to transactions
• Detecting security incidents, fraud prevention or illegal activity
• Debugging to identify and repair errors
• Short-term transient use
• Performing services on behalf of the business or service provider

What are the Penalties of Violating the CCPA?

Effective January 1, 2020, organizations have 45 days to respond to any verified consumer request under the CCPA. In the event that a business fails to address a violation within 30 days of notification, the California general attorney may impose a maximum penalty of up to $7,500 for each violation. If there is an unauthorized infiltration of data, consumers can assert a private right of action to recover damages up to $750 per violation.

In contrast, GDPR has a tiered approach to fines with the EU law on data protection and privacy. Depending on the violation occurred, the penalty may be either: 4 percent of the global annual turnover from the prior year or $20 million, whichever is greater, or 2 percent of global annual turnover or $10 million, which is greater.