In today’s digital age, most businesses are highly reliant on data, including personal information of their audience. In addition to collecting and processing consumer data, many companies also make money by selling this information. As a result, it is becoming increasingly crucial to protect the privacy rights of consumers.
Various laws have been passed to safeguard consumers against any kind of mishandling of their personal information. One such initiative is the introduction of CCPA or California Consumer Privacy Act. It is one of the most recent data protection laws passed by the California State Legislature in June 2018.
If your customer base includes residents of California, you have to take certain measures to become CCPA compliant. However, before we discuss how you can achieve that, let us understand what CCPA exactly entails.
In simple terms, CCPA is a law that aims to protect the privacy rights of residents of California. The bill was passed on June 28, 2018, and came into effect from January 1, 2019. What sets it apart from other privacy laws is that it also considers household information to be a part of personal data.
It is worth noting that CCPA is not a replacement for current personal data protection laws such as CalOPPA and GDPR. Instead, it has been introduced with the idea of complementing the existing laws. Thus, even if your business is already GDPR compliant, you will have to take adequate steps to become compliant with CCPA.
While CCPA doesn’t restrict you from collecting and selling a user’s data, it requires you to make the process transparent. It implies that users must have a clear idea of how and why you are collecting their information. They should also be able to request access for any change or deletion of their data. In addition, users should be given a way to opt out of selling their private data.
CCPA also requires you to obtain prior consent before selling the data of minors. If a user is between 13 and 16 years old, you can seek their permission for selling their data. However, if the user is below 13 years old, you have to take permission from their parents or guardian.
According to CCPA, personal information includes any of the following things:
● Personal identifiers such as a user’s real name, postal address, IP address, email ID, social security number, passport number, etc.
● Commercial information such as a user’s record of personal property, purchase history, etc.
● Information related to a user’s online behavior, browsing history, search history, etc.
● Geolocation data, employment history, academic background, etc.
Non-compliance with CCPA can be detrimental to your business. It puts you at the risk of being fined up to $7,500 per violation. Additionally, the Attorney General can file a civil case against you if you don’t comply within 30 days of being notified. However, before you take steps to become CCPA compliant, you should first analyze whether the law applies to your business.
CCPA applies to a business if it collects private data of California residents and meets any one of the following criteria:
CCPA doesn’t focus on the size or scale of your business. Even if your business doesn’t meet the above-mentioned criteria at present, it is advisable to become CCPA compliant. This is because, as your business grows, it is likely to exceed one of the thresholds.
It is evident that becoming CCPA compliant is a necessity for today’s businesses. This is especially true if your business is online and is likely to attract users from California. Here are a few steps you can take to prepare for CCPA:
The first step is to identify the platforms that are being used by your business to collect private data from users. This includes your website, social media profiles, and any third-party platforms that are piggybacking on your website.
It is also crucial to understand the type of data that is being collected by each of these platforms. This helps you determine whether the data gathered falls under the purview of personal information, as defined by CCPA. Data mapping of your users from California is a simple and effective way of obtaining all this information.
Also, you should provide users with a way to raise requests to access, change, and/or delete their personal data. CCPA requires you to provide at least two methods for raising such requests. You can use a toll-free number, email address, contact form, website URL, etc. It is also crucial to introduce a verification process that validates the identity of users who make such requests.
You should also include a “Do not sell my personal data” link on your website that allows users to opt out of selling their data. Make sure that the process is quick, simple, and involves only a few steps. For instance, asking users to create an account before being able to opt out may trigger a CCPA violation.
The introduction of CCPA poses certain challenges for businesses that rely heavily on users’ personal data. Even if your business complies with the existing data privacy laws, you should take additional steps for CCPA. The key is to maintain complete transparency throughout the data collection, processing, and selling process.
Have you taken any other steps to prepare for CCPA? Share your views in the comments section below.
See how RedFlag can help you protect what matters most.