The CCPA – California Consumer Privacy Act
After the GDPR, which went into effect on 25 May 2018, the California Consumer Privacy Act of 2018 (“the CCPA”) is considered to be one of the most significant legislative privacy developments.
What is the CCPA?
The CCPA is California Consumer Privacy Act of 2018 out of California that requires businesses to comply with the new regulations, regardless of where they are located. As of Jan 01, 2020, businesses across the globe will have to comply with additional regulations related to the processing of personal data of California residents. The CCPA is the result of a compromise between consumer privacy seeker advocates and California businesses seeking to avoid privacy regulations.
Does it apply to my organization?
The CCPA applies to any business both inside and outside of California, if it receives, collects, use, share or sell California residents personal data (including employees) solely or jointly with others, and meets one of the following conditions/thresholds:
- Revenue thresholds – Has annual gross revenues in excess of US$25 million;
- Revenue thresholds – Earns more than half of its annual revenue from selling consumers’ personal information; or
- Personal information threshold – Possesses the personal information of 50,000 or more consumers, households, or devices.
As per section 1798.140, “business” definition covers Parent companies and subsidiaries using the same branding, even if they themselves do not exceed the applicable thresholds.
Data protection rights addressed by the CCPA
The CCPA gives California residents the right to:
- Know what personal information is being collected
- Access the personal information that is collected, and request it be deleted
- Know whether their personal information is being shared, and if so, with whom
- Opt-out of the sale of their personal information
- Have equal service and price, whether or not they choose to exercise their privacy rights
What businesses need to do?
Here is the right time when businesses across the globe need to start working to assess the impact of the CCPA on their businesses. Anyone who has been working on the GDPR knows well that 3-6 months is not enough to time. Here are some affirmative steps to be in compliance with the CCPA new requirements, including, but not limited to the following:
- Establish and maintain a data inventory of personal information collected or sold from California residents – Under this part, businesses will need to review all the IT systems and categorize the personal information of California residents collected and/or sold in the past 12 months.
- Mapping of the personal information collected by the business and locations where this personal information is stored – Mapping of the personal information collected will be done by the business in order to understand the flow of data across the organization. This will help to create new policies, procedures, and framework for CCPA.
- Verifiable consumer requests – Businesses are required to answer within 45 days from the receipt of verifiable consumer request with accurate and specific disclosure about categories of consumer personal information collected and/or sold in the past 12 months. Businesses also have to provide contact information via which consumer may make such requests.
- Access rights – As per (Section 1798.110(a)(5)), “The specific pieces of personal information it has collected about that consumer” is to be delivered by mail or electronically, if provided electronically, the information shall be in a portable and, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.
- Erasure rights – As per (Section 1798.105), such a mechanism should be in place which allows users to request the deletion of their personal information from business systems/servers/service providers. In case the business is a data processor, then, in this case, it is mandatory to inform the data controller about these requests before taking any action. Data processor will work on documented instructions from the data controller in this case. Some exceptions to erasure rights where it is necessary to maintain the personal information to:
- Comply with the California Electronic Communications Privacy Act
- Exercise a right provided by law
- Maintain data security
- Complete the transaction for which the personal information was collected with consent from consumer, etc.
- An individual right to opt-out of the sale of personal information – As per (Section 1798.120), an option to opt-out of the sale of personal information to third-parties must be available. “Link on the business’ Internet homepage, titled “Do Not Sell My Personal Information” is also the requirement as per Section 1798.135. As per section 1798.185. (a), IT systems must be able to authenticate each consumer before responding to any request. The password-protected account maintained by the consumer can be used as an authentication mechanism if not, business needs to provide a separate mechanism to achieve this.
- Security and breach response plan
- Update service level agreements with third-party data processors
- Remediation plan of information security gaps and system vulnerabilities
- Training of personnel with access to personal information about CCPA requirements
- Maintain documents for technical and organizational measures required under CCPA
For more details on the CCPA – California Consumer Privacy Act of 2018, please refer: California Legislation Bill