The California Consumer Privacy Act (CCPA) went into effect in January 2020, setting a new standard for consumer data protection in the United States. The Act gives consumers in California more control over their personal information, including the right to know what information businesses collect about them, how it is used, and who it is shared with. Consumers also have the right to delete their personal information, opt out of its sale, and prevent businesses from discriminating against them for exercising their CCPA rights.
The CCPA applies to businesses of all sizes that collect personal information from California residents, just as GDPR applies to businesses that collect data on EU citizens. The Act’s stringent requirements pose challenges for businesses, similar to the GDPR. However, it also offers a roadmap for businesses aiming for full compliance. This includes:
- Designating a team or individual responsible for data privacy
- Creating a privacy policy that complies with CCPA requirements
- Implementing technical and organizational security measures to protect personal information
- Training employees on data privacy best practices
- Responding to consumer requests for access, deletion, and portability of their personal information
- Ensuring a transparent and accessible process for these requests
The specific steps that each business needs to take to achieve compliance will vary, depending on its operational nuances and the nature of the data it processes.
The CCPA: 6 Consumer Rights
The CCPA establishes eight fundamental rights regarding the collection, sharing, storage, and use of personal data for California residents. Adhering to these rights is crucial for safeguarding consumer privacy and evading potential legal repercussions.
1. The Right to Notice
Also known as the “Right to Know,” this gives consumers the right to request information about the data a business has collected about them over the past 12 months. This includes the categories of personal information collected, sources from which it was collected, the purpose for collecting it, and the categories of third parties with whom the business shares that information.
- Businesses must provide consumers with notice of their personal information collection, use, sale, and sharing practices at or before the point of collection.
- The notice must be clear and concise, and it must be easy for consumers to understand.
2. The Right to Erasure
Also known as the “Right to Delete,” this gives consumers the right to request the deletion of personal information that a business has collected from them, subject to certain exceptions.
- Consumers have the right to request that businesses delete all of their personal information.
- Businesses must comply with these requests within 45 days and provide consumers with a confirmation of deletion.
3. Right to Opt-In for Minors
Businesses must obtain affirmative authorization, or “opt-in,” from teenaged consumers before selling their personal information.
- Businesses cannot sell personal information containing minors’ personal information unless the minor (aged 13 to 16 years) or the Parent/Guardian (if the minor is aged below 13 years) opt-in to allow this sale.
- Businesses can be held liable for the sale of minors’ personal information if they either knew or wilfully disregarded the consumer’s status as a minor and the minor or Parent/Guardian had not willingly opted in.
- Businesses must provide a clear and conspicuous way for minors to opt-out of the sale of their personal information.
4. Right to No Discrimination
Businesses cannot discriminate against consumers for exercising their CCPA rights. Discriminatory practices can include denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services to the consumer.
- Businesses are prohibited from discriminating against consumers who exercise their CCPA rights.
- Businesses may vary their services or change the price of goods and services if the difference in service or price is reasonably related to the value of the consumers’ personal information to the business.
5. Right to Opt-Out
This gives consumers the right to opt out of the sale of their personal information to third parties.
- Businesses must set up a “Do Not Sell My Information” button on their website and implement procedures to comply with the right to opt-out.
- Businesses cannot re-ask consumers for consent to sell their personal information for a period of 12 months after they have opted out.
6. Private Right of Action
This gives consumers the right to opt out of the sale of their personal information to third parties.
- The CCPA permits a consumer to initiate a privacy cause of action for security breaches.
- The CCPA requires businesses to notify consumers of security breaches within 72 hours of becoming aware of the breach.
The CPRA: 2 Additional Rights
Passed by voters in 2020, the Consumer Privacy Rights Act (CPRA) amends and strengthens the CCPA. The law expands the CCPA definition of personal information to include additional categories of information. It also promotes two additional consumer rights
7. Right to Correct (CPRA)
The CPRA gives consumers the right to correct inaccurate personal information that businesses have collected about them. Businesses will be required to disclose this right to consumers and provide them with a way to request a correction.
- Consumers also have the right to request that a business delete personal information, subject to certain exceptions.
- Businesses must use “commercially reasonable efforts” to correct inaccurate personal information, as defined by the CPRA.
8. Right of Limit Use of Personal Information (CPRA)
The CPRA gives consumers the right to request that a business limit the use of their personal information for certain purposes, such as targeted advertising.
- Businesses must inform consumers as to how they intend to use any sensitive personal information they process before collecting it. They must also let them know whether the information will be sold or shared and how long they plan to keep it.
- Businesses must comply with these requests unless they have a compelling legitimate interest in continuing to use the information for the specified purpose.
Protecting customer data is up to you
Doing business online comes with more risk and responsibility than ever. It’s critical that you do everything you can to demonstrate compliance with CCPA, which includes technological and operational changes to most organizations. Failure to comply comes at a serious cost.
The CCPA allows the California Attorney General to impose civil penalties of up to $7,500 per violation for intentional violations of the law and $2,500 per violation for unintentional violations. Businesses that are notified by the California Attorney General’s Office that they have violated the CCPA have 30 days to cure the violation. If businesses fail to cure the violation within 30 days, they can be fined. By understanding the civil penalties for violations of the CCPA, businesses can take steps to avoid being fined and to comply with the law.