The California Consumer Privacy Act, or the CCPA, became effective on January 1st, 2020. It requires larger businesses to mention Californian consumers’ privacy rights in their privacy policies. They must also mention how the companies utilize that data. This Act also applies to businesses outside of California if they are collecting or using the personal data of California residents.
Like GDPR, the CCPA aims to give consumers more control over how businesses use their personal information. This promotes consumer trust and prevents improper trade practices by large corporations. If you think it’s time for your business to comply with the CCPA, you should consider NordLayer’s solution on security compliance.
Who Does CCPA Apply?
CCPA applies to any person who is regarded as a resident under the state’s tax laws, regardless of where they are currently located. It applies to the for-profit organizations involved in collecting and processing personal data belonging to California’s citizens. These organizations may be tech companies, startups, and data brokers. One or more of the following criteria will have to be met for such entities to fall under the scope of CCPA:
- More than $25 million annual gross revenue.
- The company processes the personal information of more than 50,000 California residents. This involves receiving, buying, selling, and sharing.
- More than 50% of that organization’s annual gross revenue comes from selling California residents’ personal information.
Checklist for CCPA Compliance Preparation
If your business falls under the scope of CCPA, it is the perfect time to start preparing your business for California Consumer Privacy Act (CCPA) compliance. Below is a checklist that will help you start off with the compliance management process.
Identify the Information That Needs to be Protected
To know what constitutes “personal information,” refer to the California Civil Code Section 1798.140 (o) (1-2). Any information directly or indirectly identifying a consumer or a household may be classified as personal information. This mainly includes the real name, postal address, email address, social security number, commercial information, internet activity, biometric information, geolocation data, etc. Once you identify such information, you should understand that this data needs to be protected to ensure CCPA compliance.
Create a Privacy Policy
Ensure your business’s privacy policy is written in plain and understandable language. To ensure transparency, clearly mention what information you collect, how you store it, and how you use it. Communicate all consumers’ rights over their personal data under the CCPA. Make sure that your privacy policy is regularly updated.
You must mention the last update date on your privacy policy page to ensure better trust. Lastly, ensure to include your contact details if the customers have a query related to their personal data.
Understand the Rights of the Consumers Under the CCPA
You need to understand the rights of the consumers that they have over their personal information. To allow the customers to submit their requests seamlessly, you should provide at least two communication channels (e.g., a phone number and email address). To ensure that the correct person generates the request, you should have a verification and validation process.
It is recommended that you should have a legal team in your business who specializes in handling the cases related to CCPA. Following are the consumer rights under CCPA that you need to keep in mind:
- Right to access
- Right to portability
- Right to deletion
- Right to notice
- Right to opt-out
- Right to non-discrimination
Consent
If your business wants to “sell” the personal information of children under the age of 13, parental consent is required. In the case of minors aged between 13 and 16 years, you must get opt-in consent for “selling” their personal information. The CCPA gives customers the right to deny the consent for selling their personal information at any time.
Even if your business gets hold of an individual’s data, the data owners have the right to delete it from your records. You’ll also be liable for getting this data deleted from any direct service providers who might have gotten the information from your business.
Creation of an Opt-Out Mechanism
Your business must create a webpage that lets customers seamlessly exercise their opt-out rights. To allow the customers to opt out of businesses selling their personal information, provide them with a “Do Not Sell My Personal Information” (DNSMPI) link or an “opt-out button” on your website.
Use of Cookies
While you’re allowed to load and use cookies on your website without anyone’s consent, you are still required to disclose what kind of cookies are being used and how you will process the consumer’s data.
Take Necessary Steps to Safeguard the Consumer Data
You should have strong security protocols to protect your business from potential data breaches. Having an efficient breach management procedure in place is an important aspect to be considered in CCPA compliance. In case of a suspected online data privacy breach, make sure to notify the authorities ASAP.
