The California Consumer Privacy Act (CCPA), a landmark data privacy law that grants the right to California consumers to control their personal information, took effect on January 1, 2020. Since then, businesses that fall under its scope, including national and international companies, have been obliged to comply with CCPA regulations.
Find out how CCPA compliance affects your business and how a consent management system can help by contacting Ketch today.Â
What Is The CCPA?
The CCPA is a comprehensive data privacy law that affords California consumers the right to control the personal information that businesses collect from them and use or sell. These include:
- The right to know about the personal information a business collects, uses, and shares
- The right to delete the personal information collected by businesses (with some exceptions)
- The right to opt-out of the sale of their personal information
- The right to non-discrimination for exercising their rights under the CCPA
What Is Considered Personal Information?
CCPA personal information refers to data “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular” California resident or household.
These include, but are not limited to, identifiers, commercial information, biometrics, online activity, and inferred consumer profiles.
When Did The CCPA Take Effect?
The CCPA took effect in January 2020 after several amendments, since it was signed into law in 2018. Since the CCPA effective date, the California Attorney General's Office has introduced regulations to clarify and interpret the law.Â
In July 2020, the CCPA became officially enforceable when the California Department of Justice began to notify businesses of potential non-compliance, giving them 30 days to rectify alleged violations.
What Does The CCPA Effective Date Mean For Businesses?
The CCPA only applies to for-profit businesses that “do business in California” and meet at least one of the following criteria: Â
- Has a gross annual revenue of more than $25 million
- Buys, receives, or sells (or in any way makes available to another, e.g. renting, disseminating, etc.) the personal information of at least 50,000 California residents, devices, or households
- Derives at least half of their annual revenue from selling the personal information of California residents
All businesses that fit the bill—even those that aren’t located in California but profit from doing business with its residents—must comply with the law after its effective date.
To do this, the CCPA has regulations that guide businesses to be compliant. Generally, these oblige businesses to make their data practices transparent and to provide consumers the avenues to exercise their rights. Here are some examples:
Update Privacy Policy
Businesses must review and update their privacy policy to describe the rights afforded by the CCPA. It must also detail the categories of personal information that is collected from consumers, as well as how this data is stored, used, or made available to others through sale, exchange, transfer, etc.
Additionally, a compliant privacy policy should also explain how consumers can exercise their CCPA rights.
Obtain Opt-In Or Opt-Out Consent
Businesses must include a “Do Not Sell My Personal Information” link or page on their website under the CCPA’s “right to opt-out.” It should be clearly placed on a conspicuous location on the website or in an application’s settings page and in the privacy policy.
Businesses aren’t allowed to sell the personal information of minors. So they should also add opt-in consent channels for consumers between thirteen to fifteen years old or for the parents of users under thirteen.
Provide Channels To Request Access Or Deletion of Data
Businesses need to create CCPA-compliant practices to process consumer requests to access or delete the personal information collected from them. There should be at least two methods to submit these requests, followed by a procedure that confirms, verifies, and processes such requests promptly.
Train Employees About The CCPA
The CCPA can affect how businesses operate, especially if the products or services are sold or provided online. So businesses must train their employees about the CCPA to ensure its proper implementation.
Review Agreements With Third Parties And Service Providers
Businesses have the responsibility of updating agreements with third parties or service providers that manage the personal information of their consumers to be CCPA-compliant.
Conclusion
The CCPA won’t be the last data privacy law. So even businesses that don’t fall under its scope should review the regulations and apply the changes to their current data practices to get ahead of more markets shifting into better protecting the personal information of consumers.
‍
