How CCPA & GDPR Impact Your Businesses Operations

Introduction

Data is the central player for businesses that deal with the processing of personal data. Not only the data-driven insights help businesses make astute decisions in real-time but how you handle & process the personal data of your customers also determines whether or not you will be able to thrive in the highly competitive B2B world.

According to a study by Forrester, 61% of the US adults are concerned about the sharing of their personal data online and 71% of the enterprises accede that privacy protection is a priority for them. 

The figures suggest that how organizations breed privacy into their DNA will be the key brand differentiator in the time ahead. 

Moving forward businesses need to abide by the regulations of  General Data Protection Regulation (GDPR) (implemented on 25/3/2018) as well as the California Customer Privacy Act (CCPA) (effective from 1/1/2020, officially called AB-375) to mitigate the data accessibility & control risks pertaining to the collection, processing & movement of the personal data of the customers.

Data Protection has become a non-negotiable priority for businesses & with the introduction of CCPA businesses need to do minor tweaks in their privacy policies to entail the detailed methodologies for the processing of personal data along with their pledged to comply with both the major data protection laws viz. GDPR & CCPA. 

Businesses need to assign their staff members dealing with data protection trivialities with specific pieces of training for handling, safeguarding & transferring the personal data of the customers. They also need to have appointed a Data Protection Officer (DPO) for educating the employees on vital compliance requirements under GDPR & CCPA as well as for auditing, monitoring & recording all the data protection activities of the company.

Apart from the privacy policy, businesses also need to ensure that their employees comply with the Electronic Communications Policy to bring our data protection efforts to full-proof fruition.

The Scope of the Privacy Policies

Adherence to a privacy policy is an absolute imperative for the current, former & prospective employees as well as workers, volunteers, apprentices & consultants of the businesses. 

The people falling under at least one of the above-enlisted categories qualify as 'data subjects’.

The policy should be read alongside all the employment & service contracts as well as with other notices that the businesses issue from time to time, concerning data handling, management, processing, and transfer.

What is personal data?

Personal data can be defined as any information that relates to an identified or identifiable person (data subject). This information contains identifiers like a name, an identification number, location data, an online identifier or other factors that are specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

The personal data businesses gather may include an individuals’ phone number, email address, educational background, financial and payment details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.

Relevant individuals can include colleagues, consumers, members of the public, business contacts, etc. Personal data can be factual (e.g. contact details or date of birth), an opinion about a person’s behavior, or information that may otherwise impact that individual – personal or business-related.

Personal data may be stored through an automated process e.g. electronic records such as computer files or in emails or in manual records which are part of a filing system or are intended to form part of a filing system e.g. structured paper files and archives.

Definition of Personal Data: CCPA vs. GDPR

CCPA differs in the definition of personal data from GDPR as in some cases CCPA takes into consideration only the data provided by the customer & excludes personal data that was purchased or accessed through a third-party. GDPR, on the other hand, covers all personal data regardless of source (even in the event of sensitive personal information). The delineation of personal data in GDPR is much broader than that defined under CCPA.

CCPA defines personal information as information that identifies, describes, or links to a particular customer or household such as a real name, Internet Protocol address, email address, account name, passport number, or other similar identifiers. However, the publicly available information isn't considered as personal. 

Fundamental differences between CCPA & GDPR include the scope and territorial reach of each definition related to protected information, levels of specificity & an opt-out right for sales & personal information.

What does ‘processing’ personal data mean?

‘Processing’ personal data is defined as any activity that involves the use of personal data – obtaining, recording or holding the data, amending, retrieving, using, disclosing, sharing, erasing or destroying. Processing also includes sending or transferring personal data to third parties.

Categories of Personal Data under CCPA

CCPA defines personal info as info that identifies, describes, or links to a selected client or unit like a true name, net Protocol address, email address, account name, passport variety , or different similar identifiers. However, the in public accessible info isn’t thought-about as personal.

CCPA takes into data solely provided by the client & excludes personal data that was purchased or accessed through a third-party.

The categories of personal information under CCPA fall under the following categories:

a. Identifiers: 

This category of data includes name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers. 

b. Customer records information:

This category of personal information includes details such as addresses, telephone number, education, employment status, financial information, passport number & other critical information such as health information.

c. The protected classifications under California or federal law:

This category of personal information includes race, religion, sexual orientation, gender identity, gender expression & age of the customers.

d. Commercial Information: 

This data category includes records of personal property, products or services purchased, obtained or considered or other consuming inclinations of the customers exhibited across several platforms across the web.

e. Biometric Information: 

This category of personal information includes details such as hair color, eye color, fingerprints, height, retina scans, voice, facial recognition & other biometric data.

f. Information collected from the Internet of Things & other Electronic Activity:

This category of personal information includes information such as browsing history, search history & information regarding the interaction of a customer with an internet website, advertisement or an application.

g. Geolocation data:

This data resonates with the physical location of the prospects that helps the businesses serve them with hyper-personalized ads.

h. Electrical, olfactory, audio, visual, thermal or similar information: 

This data category usually includes a wide array of sensory information pertaining to the prospects. 

i) Professional or employment details: 

This data category includes the current or past job history or performance evaluations of the prospects. 

j) Educational Background: 

This information entails information that is not “publicly available personally identifiable information” and has been defined under the California Family Educational Rights & Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99). 

k) Inferences: 

This law includes inferences that can be used to create a profile resonating with the preferences, characteristics, psychological trends, behaviors, predispositions, attitudes, intelligence, abilities & aptitudes of the customers. 

Apart from the major categories of personal data enlisted above, the attorney general of California is entitled to add categories of personal information to address changes in technology, data collection practices, obstacles to implementation & privacy concerns. 

The personal information under CCPA doesn't include the publicly available information & information such as financial & medical information regulated by the Health Information Portability & Accountability Act (HIPAA) is exempted under CCPA.  

Businesses Must Ensure That They Safeguard the Personal Information of the Customers  

In accordance with their data subjects, data items, data retention & geographic range of processing, businesses need to appoint a Data Protection Officer (DPO) for educating employees & the companies at large of the importance of data compliance & to design latest pieces of training for staffs involved in the data processing. The officer shall also conduct regular security audits on two of our prime areas of operation i.e. data collection & storage.

The responsibilities of the DPO include but aren’t essentially limited to the following:

• Educating the company & employees of the importance of compliance with the data protection regulations
• Designing pieces of training for staffs involved in the data processing
• Conducting frequent audits to ensure compliance with the data protection laws & to proactively address any potential or underlying issues (if any)
• Serving as the point of contact & communication between the businesses & the supervisory authorities dealing with the data protection laws such as GDPR & CCPA
• Maintenance of comprehensive data processing records about all the data protection activities conducted by the businesses, including the purposes of all processing activities, which can be made public on request
• Interfacing with the data subjects to inform them about the methodologies of their data usage as well as about their rights such as the right to have their data erased & about the measures in place by the company to protect their personal information

The Intensified Pursuit for Data Protection Compliance & Why It is More Important than Ever Before? 

The GDPR Perspective

The General Data Protection Regulation (GDPR) is a data protection regulation framed by the European Union (EU) on 14/4/2016 & implemented on 25/5/2018 to ensure the protection of privacy of all individual citizens of the European Union (EU) & the European Economic Area (EEA) concerning the correct implementation of the data protection principles to ensure the safety of personal data of the individuals, in terms of data collection, storage, processing, transfer & erasing.  

GDPR ensures that the data subjects of any enterprise established in EEA, regardless of their citizenship have a say on whether they want their personal data to be processed for business purposes & businesses need to ensure that they have the appropriate technical & organizational measures in place to safeguard the personal data using pseudonymization or full anonymization, wherever applicable. 

As per the norms of GDPR, businesses are obliged to report any prospective data breaches within 72 hours. They must understand running into the risk of hefty fines up to EU €10 million or 2% of the company's global turnover, whichever is greater if they violate the GDPR norms. The graver defilements of the GDPR norms may result in fines up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. 

The CCPA Slant

The California Customer Privacy Act (CCPA) was signed into law on June 28, 2018, & became effective from January 1, 2020.

CCPA Compliance is mandatory for businesses & non-profit organizations (NGOs) that collect the personal data of the customers' and operates in California & has at least of the following originations:

• An annual revenue exceeding $25 million
• Involved in buying or selling of personal information of 50,000 or more customers or households; or
• Earning more than 50% of its annual revenue from selling customers’ personal data

Under the act the residents of California have the right to know what sort of personal data is being collected about them, whether it is being sold & if yes, to whom. They have the right to deny the sale of their personal data & the right to request businesses to delete their personal information or to have access to it, whenever required.  

The privacy rights can be exercised without discrimination of any kind.

Businesses are obliged to “implement & maintain reasonable security procedures & practices” for protecting customer data as directed by CCPA & businesses must ensure that they hold themselves accountable to their comprehensive responsibilities in the following ways:  

• Before sharing any personal data for business purposes, businesses must obtain the parental or guardian consent for minors below 13 years of age & an explicit affirmative consent of minors between 13 to 16 years
• Businesses must have the “Do Not Sell My Personal Information" link on the home page of our website. This link directs the users to a web page enabling them, or someone they authorize, to opt-out of the sale of personal information of any user residing in California.
• Customers can submit requests for accessing their personal data
• Businesses must be updating their privacy policies following the rights of the residents of California with the description California Residents’ Rights & should be avoiding opt-in request for 12 months after a California resident opts-out of services.

California residents can authorize companies, activists & associations to exercise the right to opt-out on their behalf. If any business falls victim to data security breaches, it can be ordered to pay damages between $100 & $750 or the evaluation worth actual damage, and whichever is greater, subject to the decision of California Attorney General’s Office. A fine up to $7,500 for each intentional violation & up to $2,500 for each un-intentional violation can be imposed on the company. 

In the event of a breach in the data protection law, there will be severe damage to the brand name of the businesses & they can also be subjected to serious legal liabilities. Therefore, privacy notices must be accessible & should have alternative format access. 

Redefining Data Protection 

Businesses falling under the jurisdiction of CCPA businesses are obliged to protect the data privacy of their customers. They must hold themselves accountable & demonstrate compliance with the latest international data protection regulations. 

The following is a list of our key obligations under the data protection laws & details of how businesses must comply with those:  

1) Customer Have the Right to Erasure or Delete Personal Data:  

The GDPR Perspective

Under GDPR, personal data is defined as any piece of information pertaining to an identified or identifiable data subject, which also includes the publically available data. However, this doesn’t apply to anonymized data. GDPR guarantees individuals the right to erasure their personal data.

The data controllers or processors at businesses are bound to delete the personal data of a data subject under the following circumstances:

• The personal data isn’t necessary as the purpose of the collection of the same has been served
•  No legal ground for the processing of the personal data exists except for the consent of the data subjects
• The data subject objections under article 21(1) and there is no other legal ground for the processing of the data
• Personal data must be deleted as of a part of policy compliance by means of a legal obligation
• The data collected from a child under article 8(1)
• A data subject wants to exercise his right of freedom of expression & information & consequently, wants the data controller to erase the personal data
• For complying with the legal obligations of EU or any of its member states
• Reasons for public health & medicine mentioned under article 9(2)(h)&(i) and 9(3)
• For archiving, scientific or historical research, or statistical purposes subject to pseudonymization or minimization of any other kind as mentioned under article 89(1)

The CCPA Slant

The right to deletion of personal data under CCPA applies only to the data collected from the customer & not from the third-party sources.

The customers can request businesses for the deletion of their personal information, except when it is needed to:

• Structure a contract with the customer or complete a transaction for which it was collected
• Detect security happenings or track protests against some malicious, deceptive or illegal activities
• Debugging or repairing vital impaired functionalities leading to operational complications for the company
• Exercise the right to freedom of speech or any right rights of businesses or customers 
• Comply with the California Electronic Communications Privacy Act
• Engaging in public or peer-reviewed research for public interest
• Enabling internal uses in resonance with the customers' expectations following their relationship with the businesses 
• Comply with a legal obligation
• Use the personal information of customers internally in a lawful way following the context in which the information was provided by the customers, to begin with

2) Data Subjects can exercise the Right to Access or Disclosure of the Personal Data

The GDPR Perspective

Businesses must inform customers of their rights at the time of data collection. The data subjects have the following rights:

• Right to request access to their personal data
• If the data controller has made the personal data public, he is bound to take appropriate steps to inform others responsible for the processing of data about the request made by the data subject on accessing the data & the steps taken henceforth
• Controllers & processors must learn to identify a request for access & they must provide the personal data undergoing processing to the customers
• The customers who request for electronic data have to be provided with data in electronic form only

The CCPA Slant

Businesses must inform customers at or before the point of collection of their personal data about the categories of personal information to be collected & the purpose for which they will be used.  

Customers have the following rights pertaining to the disclosure of their personal information:

• They can request the personal information that has been collected & how it is processed & for what purposes & with whom it is shared
• Businesses must disclose within 45 days of receipt of a variable request  & can take one 45-day extension whenever reasonable, if they notify the customers within the first 45-days of the request submission
• The disclosure must include data covered 12 months before the request.

3) Data Portability Requirement 

The GDPR Perspective

If the request for the accessibility of data was made by electronic means unless otherwise requested by the data subject, the information should be provided in a commonly used electronic form.

Under specific circumstances, data subjects have additional rights to:

• Receive a copy of their personal data in a structured, usable & machine-readable format
• Transmit their data to another controller without any resistance from the businesses (the original controller), including to have the personal data transmitted from the businesses to the second controller

The CCPA Slant

The data disclosures must be delivered by the businesses via an email or electronically. The information must be portable & in a readily useable format if delivered electronically. 

4) Restriction of Data Processing or Right to Opt-Out

The GDPR Perspective

The data subjects may request a controller to restrict the processing of personal data under the following circumstances:

• The personal data is inaccurate
• The processing is unlawful & the data subject prefers not to get the data deleted
• The controller no longer needs the personal data for processing, rather the data is required for exercising a legal claim or request
• The data subject has objected to the processing of data under Article 21(1) pending verification of whether the controller can process on other legal grounds
• If a data subject seeks to obtain the restriction of processing of personal data, restricted data may not be further processed by the businesses, except when required for exercising a legal claim or defense or for other reasons of vital public interest 
• A data subject must be informed before a restriction on their personal data is lifted
• Restriction can be ensured by technical means & restricted data must be clearly marked

The CCPA Slant

Customers have the right to opt-out of the sale of their personal data. Businesses provide notice of opt-out rights. 

They must include a link titled "Don’t Sell My Personal Information” along with a description of the opt-out rights, in the privacy policy and the California-specific description of privacy rights on the home page of their websites. 

The willful disregard of a customer’s age will be treated as the actual knowledge of their age. 

5) Personal data should be processed in a fair, lawful and transparent manner

Legal grounds for the processing

According to the data protection laws personal data can be processed only when there are fair and legal grounds that justify using the information. Where consent is relied upon, it must be freely given, specific, informed and unambiguous, and businesses must effectively demonstrate that consent has been given.

In most standard business activities that involve the use of customer or supplier data, consent is not required, but it may be needed for activities not required when managing the main business relationship, such as direct marketing activities.

Transparency

According to the data protection law, businesses are required to process personal data transparently by providing individuals with appropriate, clear and concise information about how they process their personal data.

Businesses must inform customers about how they use their data via data collection forms such as application forms or website forms, and in longer privacy notices businesses must set out details that include: the types of personal data that businesses hold about the brands, how businesses use those data points, their legal grounds for processing the information, with whom they might share it with and the duration they will keep it for.

6) When handling sensitive or special categories of personal data Businesses must take extra care

There are some categories of personal data that are particularly sensitive which include information that reveals details of an individual’s:

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• Physical or mental health;
• Sexual orientation;
• Biometric or genetic data and
• Criminal offenses or convictions.

Where special category personal data is concerned, data protection law requires businesses to have an additional legal ground to justify using this sensitive information.

7) Personal data should be processed only for specified, explicit and legitimate purposes

Businesses must process personal data only for legitimate purposes such as carrying out our business operations and to administer employment and other business relationships. 

8) Appropriate steps must be taken to keep personal data secure

A key responsibility for businesses and their workforce is keeping personal data safe and in compliance with the security procedures to protect the confidentiality, integrity, availability, and resilience of personal data.

Businesses often have an Electronic Communications Policy setting out protocols for Employees on the use of technology and communications systems, which also help to ensure appropriate security of personal data, stored or communicated using such systems. 

Through regular evaluation, businesses must test the effectiveness of these measures to ensure the security of their personal data processing activities. 

9) When sharing or disclosing personal data take extra care

As sharing or disclosing of personal data is a type of processing, all the principles described under CCPA need to be complied with.

Internal data sharing

Through a ‘need to know’ basis, businesses must ensure that personal data is only shared internally.

External data sharing

Personal data must be shared with other third parties (including group entities) only when businesses have a legitimate purpose and an appropriate legal ground under data protection law which allows them to do so. Commonly, this could include situations where businesses are legally obliged to provide the information or wherever necessary when performing our contractual duties to individuals.

Businesses may appoint third-party service providers, also known as processors, who will handle information on our behalf, for example, to provide data storage or other technology services. Businesses are responsible for ensuring that their processors comply with data protection laws and privacy policies while handling the personal data of individuals. Before and during the appointment of a processor, businesses must assess and apply data protection and information security measures. Depending on the nature of activities, the extent of these measures will vary but will include suitable risk assessments and reviews, and contractual obligations.

10) Unless appropriate safeguards are in place do not transfer personal data to another country

When personal data is transmitted or sent to, viewed, accessed or otherwise processed in, a different country, and overseas transfer of the data takes place. European Union data protection law restricts personal data transfers to countries that are outside the European Economic Area (EEA – this is the European Union plus Norway, Liechtenstein, and Iceland), to ensure the level of data protection provided to individuals is not compromised; as the laws of such countries may not provide the same level of protection for personal data as within the EEA.

To ensure that data protection is not compromised when personal data is transferred to another country, businesses must access the risks of any transfer of personal data outside of the EEA and enforce additional appropriate safeguards where required.

11) Do not use profiling or automated decision-making unless you are authorized to do so

Automated decision-making or profiling occurs when an individual's personal data is processed and evaluated through automated means which results in an important decision being taken concerning that individual. This poses risks for individuals when a decision is made based solely on that profiling or automated processing.

Except in very limited circumstances, data protection law prohibits decision-making based solely on profiling or other automated processes. Besides, where profiling or other automated decision-making is permitted, safeguards are put in place allowing individuals to express their point of view and challenge the decision.

12) Integrate data protection into operations

Data protection laws require businesses to build data protection considerations and security measures into all of their operations that involve the processing of personal data, particularly at the start of a new project or activity which may have an impact on the privacy of individuals. This involves taking into account various factors including: 

• The risks posed by the processing for the rights and freedoms of individuals;
• Technological capabilities;
• The cost of implementation; and
• The nature, opportunity, framework, and purposes of the processing of personal data.

Data protection risks will be assessed regularly throughout the lifecycle of any project or activity that involves the use of personal data.

Departures from the Privacy Policy

Under the data protection law, there are some very limited exemptions, which permit departure from aspects of this policy.

The business staff must give specific instructions if any exemptions are relevant to their role.

If businesses think they should be able to depart from this policy under any circumstances, they must consult the Data Protection Officer before taking any action.

Why do Businesses collect and process information?

Collection of personal data is an essential element of the client relationship management. To live up to their objective to elevate their customer experience management (CXM) indexes to entirely new levels businesses must collect & process personal data. 

The personal data also helps businesses to precisely target their marketing niches & develop services as per the expectations of their customers. 

Businesses must assure their customers that they collect & process their personal data only for pre-defined & lawful purposes. 

How Do Businesses Collect & process information?

The personal data of the customers is one of the most important business assets for businesses. 

Businesses need to have an enhanced understanding of their customers to assure they are able to address their needs precisely. This helps them in meeting or exceeding the expectations of the customers. They must also assure customers that their methods for collection and processing of personal information are lawful & in congruence with the norms of CCPA.

Businesses often employ a data management platform or DMP for the collection, organization, mapping, preparation, analysis & activation of personal data.

The data is usually collected in the following steps:

• Businesses determine the information they want to collect. The data is collected only if it is permissible under the CCPA guidelines
• Businesses can track personal data as old as 12 months 
• Businesses usually store & organize customers’ personal data in DMP & thereafter, it is further processed
• The data is analyzed & the insights driven from data analysis are implemented

Methods by which Customers can request access, change, move, or deletion personal data 

Customers can request access to their personal data, can ask to change or upgrade it and can even request to move or delete it. The requests must be submitted to the specified email addresses of the businesses or can be electronically submitted on the website by filling up the "Don't Sell My Personal Information" form. 

Businesses are bound to deliver the disclosures through email or electronically as per the request of the customers. 

The method for authenticating the identity of a person who submits a request

Businesses are obliged to ensure that they leverage rational safety procedures on every occasion one requests for access, up-gradation or deletion of his personal records. 

Additionally, they ought to also assure that the "Do Not Sell My Personal Information" request comes from both the client himself or from someone whom the customer authorizes to opt-out of sale.

Businesses should recognize that any unauthorized access may also bring about breach & that they can be penalized for the same & their brand equity might also go through adversely.

The identity of the difficulty of statistics is validated in resonance one or numerous of the following matches:

? By tracking the past purchasing & browsing history of the clients, supplied businesses should have the record of the identical in our CRM or DMP

? By verifying the email deal with of the consumer and if it's far the identical one from which the opt-in request became made

? Under special circumstances, if asked by the government or the information safety authorities businesses can also request critical & sensitive statistics to guard the rights of our information subjects & to keep away from risking their rights below CCPA.

? Most of the time, testing clients' knowledge regarding the statistics they're requesting, permits businesses to authenticate if it's the identical client who's putting forth a specific request.

Businesses have to not method any requests regarding the personal facts of their clients unless they're 100% sure of their identification. Failing to authenticate the identification, organizations ought to refuse to provide nameless people any type of say over the personal records & have to ask for additional information to validate the identification.

Sales of users’ Personal Data & how Customers can opt-out of the selling of their Data? 

As per the CCPA stature, a "sale" of personal data means that data is exchanged directly for money or similar valuable consideration. Businesses usually reserve the right to selling, renting, disseminating, transferring or communicating the personal information of the customers orally or in written format to third-parties for monetary or commercial purposes such as cross-context behavioral advertising.  

The in-house lawyers of businesses review the commercial agreements to assess whether the “personal information” resonating with a particular customer is being sold. 

As the draft regulations of the attorney general of California under CCPA mention, businesses must ensure that they abide by CCPA’s opt-out requirements. 

Customers can put forth a “Do Not Sell My Personal Information” request by clicking on a link. The link has to be provided on the homepage of our website. Businesses are obliged to allow any customer who is a resident of California to opt-out of selling his personal information using this link.

Users can opt-out of their data being sold by businesses using both the desktop or mobile devices. 

Non-discriminatory Practices to Ensure Equal Treatment for the residents of California

Abiding by the section 1798.120 of the CCPA, businesses should hold themselves responsible to not discriminate against their customers who are the residents of California, simply because they value more highly to exercise the rights they're entitled to, under CCPA.

Businesses should assure their customers' rights to exercise opt-out of the processing of their personal data, whenever they want to.

However, businesses are entitled to:

? Sell services to its customers

? Charge completely different costs for the various or high-quality services sold-out

? Provide quality product or services to its customers

? Businesses can even charge completely different costs as per the extent of service provided, only if the distinction in rating moderately resonates with the worth of the private info at stake.

 Wrap Up

Most businesses must be thinking that if they already have prepared for GDPR, they needn't start all-over with CCPA. However, being a GDPR complaint doesn't mean that you're fully covered under CCPA. CCPA has some exclusive requirements & some outlandish operational & privacy challenges that make it more dogmatic than GDPR.  Businesses need to gear up & decide how they are going to come up with a framework to address the additional data & privacy challenges for customers, striking a balance between their operational & resource management budgets. The anti-discriminatory clause of CCPA remains another area to be vigilant about.