In recent years, there have been several data breaches that have affected some of the largest corporations and millions of their customers. This has sparked serious debates among the public and legislatures on whether companies do enough when it comes to data security.
As a result, some jurisdictions have passed stringent regulations on how companies can protect consumer data against modern cyber threats. First, among them was the General Data Protection Regulation passed by the European Union and Council.
In the same vein, California has passed the California Consumer Privacy Act, which is set to take effect from Jan 1, 2020.
What Is CCPA?
The California Consumer Privacy Act is a law aimed at safeguarding the data privacy rights of consumers who live in the state. The main features of CCPA include:
1. Consumers Have Control of Their Data
Once the CCPA takes effect, consumers will have more control over whether you collect and how you use their data. They will have the right to ask what data you collect from them, how you use it, and who you share it with.
If a consumer is uncomfortable, they can tell you to stop using their personal information. Consumers can request such information two times in a year, and you are required to comply with their request in 45 days.
2. Protection Against Discrimination
If a consumer requests that you stop using their data, their decision must not affect how you
serve them in any way. You are not allowed to:
- Deny them services
- Offer lower quality service
- Charge more for services
You are also required to offer them a “do not sell my data” option on your website. The link should not be difficult to find and placed on every page you collect data.
3. Added Protection Against Data Breaches
The CCPA operates on an opt-out basis. You are allowed to use a consumer’s data up until the point they request you not to do so. However, you are required to implement “reasonable security measures” as per the CCPA.
Since cyber threats keep on evolving, what passes as reasonable security measures will change over time. Therefore, your business will have to heighten security measures as and when new threats arise.
What Exactly Is Personal Information According to the CCPA?
The CCPA defines personal information as information that “defines, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Data that qualify as personal information includes but is not limited to:
- Identifiers— Real names, alias, postal address, IP address, unique personal identifier, online identifier, passport number, or similar identifiers
- Biometric data— Face recognition, fingerprints, iris or retina information, height, weight, eye color
- Financial information
- Education information that is not publicly available
Any data that is lawfully availed by local, state, or federal government records is not considered as personal information.
Is My Business Subject to CCPA Compliance?
The CCPA regulations are specifically for profit-oriented organizations that collect, sell, or share personal data of California residents. The organizations must also meet one of the following criteria:
- Over 50% of the revenue generated comes from selling personal information
- Earns revenues of over $25 million annually
- Handles personal information of 50,000 or more California consumers, households or devices per year
If your business meets any of the above conditions, it’s best to work towards CCPA compliance to avoid non-compliance fines.
What Are the Repercussions for Non-Compliance?
Any data breach that results from inadequate security measures comes with serious consequences. Civil penalties imposed by the Attorney General may be as much as $2,500 per violation or up to $ 7,500 for every intentional violation.
The private right of action allows consumers to file lawsuits if their personal information is exposed. Your liability for such a lawsuit ranges from $100 to $750 per consumer per incident, or actual damages if it’s higher.
This means, if the personal information of 100 consumers is breached, you will be liable to pay anything between $10,000 and $75,000.
How to Comply with CCPA
To comply with the CCPA requirements and ensure consumers can exercise their rights, you should:
- Have two or more methods for consumers to request their personal information
- Put in place protocols to ensure you comply with consumer requests within 45 days
- Evaluate and organize your data collection and documentation process for easy retrieval for when consumers request for it
- Update security and privacy measures to include CCPA requirements
- Once you update your security measures and set up procedures for complying with consumer requests within the recommended period, your business will be CCPA compliant.
It’s Not Just About CCPA and GDPR
The GDPR and CCPA have set a precedent for other jurisdictions to follow in protecting their citizen’s data. Expect more of such laws to be implemented in the coming years. As such, your goal should not only be GDPR or CCPA compliance but offering the best security possible for your consumers.