Now more than ever, data and privacy protection play a fundamental role in running a business both ethically and correctly. Who complied with The General Data Protection Regulation (GDPR) back in 2018 perfectly knows that.
In this case, however, we shall focus on the privacy law recently announced in California, which is similar to GDPR but not identical: the CCPA.
Be careful, though, because this law is not intended to replace any existing Californian data privacy laws.
If you’re not up to date on this new entry, take a look at this article.
The California Consumer Privacy Act (CCPA) came into effect in January 2020, intending to extend California consumers’ privacy rights.
But what is that about? Basically, this law allows consumers to have more control over their personal data and, at the same time, forces businesses to follow specific rules.
Despite this new law, the California Online Privacy Protection Act (CalOPPA), Shine the Light, and Privacy Rights for California Minors in the Digital World are still in force.
So be ready to be fully compliant with all of them.
The CCPA refers to consumers as “California residents”. That means businesses must take into consideration both Californians currently in the state and those travelling abroad.
Particular attention is paid to minors (younger than 13) whose parents need to give or withhold consent. Guys between 13 and 16 years old can instead personally give consent.
Now, if you’re wondering which kind of customers get to be protected, the answer is simple. The CCPA encloses any type of consumers, from those of goods and services to employees.
There’s a significant amount of personal data the CCPA refers to. Among these, direct and indirect identifiers, biometric and geolocation data, internet activity and sensitive information.
Aggregate and anonymous data are, on the other hand, exempt from the law. But what can consumers do about that? California residents have the right to request disclosure and deletion of data collected unless they are necessary to perform a contract and be informed about the use of their personal information. Moreover, they are empowered with the right to obtain a copy of personal data through the “verified consumer requests” option.
The CCPA has formulated strict guidelines about the kind of business involved. The Act does not apply to nonprofit organizations or government agencies. By contrast, you need to be compliant with the CCPA if you run a business that:
has annual gross revenue in excess of $25m;
buys, receives, sells or shares the personal information of 50,000 or more Californian residents, households or devices per year;
derives more than 50% of annual revenue from selling California consumers’ personal information.
What about duties and obligations? First of all, businesses are required to add a “Do Not Sell My Personal Information” link on their website. In so doing, they allow customers to withdraw consent about selling their data. Then, they must inform consumers about the kind of data collected and how they’ll be used. Last but not least, businesses must delete the consumers’ personal information when requested, still ensuring equal services and price.
Violating this law may cause serious damage to businesses as the cost for non-compliance is high. In fact, fines can amount to $2,500 per violation and $7,500 per intentional violation.
However, when CCPA is violated, businesses are given the possibility to cure the violation within a 30-day notice period.
But this is not the only financial risk. The CCPA also legitimate the private right of action, meaning that citizens can sue companies and possibly get an award of $100 to $750.