California Consumer Privacy Act (CCPA): What You Need to Know
The California Consumer Privacy Act (AB 375) is a state law passed in 2018 that provides California residents the right to know and maintain control over their Personally Identifiable Information (PII). Though often compared to the European Union’s General Data Protection Regulation (GDPR), there are a number of core differences to cons.
Does CCPA Affect Your Organization?
It is important to note that CCPA is not limited in scope to entities that have physical operations in California. The law also applies to for-profit entities “doing business” in the state, if any of the following three conditions apply:
1. Companies with at least $25 Million in revenue
2. Companies that have stored data on more than 50,000 consumers, households, or devices.
3. Attribute 50 percent or more of annual revenue to the sale of goods to California residents.
What Rights Does CCPA Give California Residents?
- The right to know whether any of their PII is being collected
- The right to know exactly what kind of data is being collected
- The right to refuse the sale of their PII data
- The right to have their data deleted upon request
- The right for those who have exercised their privacy rights to receive the same service and price as those who have not exercised their rights.
What is Personally Identifiable Information (PII)?
Personally Identifiable Information, or PII, is any data that could potentially be used to positively identify, contact, or locate a single person, or to identify an individual in context.
According to a US governmental study, 87 percent of the US population is uniquely identified by a combination of gender, ZIP code and date of birth.
What are Some Examples of PII Data?
- Personal identifiers, such as the person’s name, alias, postal address, IP address, email address, account names, social security number, driver’s license number, passport number, or other similar identifiers
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Internet activity data, including (but not limited to): browsing history, search history, and information regarding a California resident’s interaction with an internet web site, application, or advertisement
- Geolocation data
- Biometric information (retinal scans, fingerprint identification, genetic data)
- Audio, electronic, visual, thermal, olfactory, or similar information
- Photos of the user
- Professional or employment-related information
- Education history or other information
Why Would I Have PII Data on My Customers?
There are many ways that PII data lands in an organization’s database. Forms are the most common way. Anytime a user purchases an item from an ecommerce site, their PII is required to complete the transaction. Even submitting a form to opt into a company newsletter can often require PII data.
Top Tip: To minimize the risk associated with protecting PII data, we recommend that you only request information that is necessary to care for your customers.
For example, if a user is simply signing up to receive your newsletter, there is no reason to ask for their address, age, marital status, income, interests, or other personal information. In fact, the only piece of information you need in that case is their email address.
Is there any Crossover with Other Privacy Laws?
The CCPA has crossover with federal regulations that protect a user’s PII, including:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach Bliley Act (GLBA)
- Fair Credit Reporting Act (FCRA)
- Drivers’ Privacy Protection Act (DPPA)
What Is the Penalty for Non-Compliance?
Failure to comply with the CCPA can result in penalties up to $7,500 (USD) for each violation. $2,500 per user per piece of data, which could easily scale to the tens of billions for a company that does not comply.
What are the Three Basic Steps of CCPA Compliance?
Step One – Update Privacy Notices and Policies
- Place a statement “at the point of collection” of data, informing the user of their rights
- State (specifically) what categories of information are collected, and how they will be used
- If necessary, there may need to be one privacy notice for California residents and another for GDPR.
- Include a chart that clearly outlines the specific rights set forth by CCPA
Step Two – Update Data Inventories, Business Processes, and Data Strategies
Companies that depend on maintaining a data inventory (database that tracks business processes, third parties, products, and applications that store and use consumer PII.
- Identify if the data being used is collected for the purpose of completing a sale
- Identify which (if any) data is being transferred to third parties (APIs, etc.)
- Identify if HIPAA, FCRA, or another law that may potentially make exempt or supersede the CCPA scope also covers any of the information collected.
- Verify if the collected data is over 12 month old. If so, the company may be exempt.
* Remember: Keep the database up-to-date!
Step Three – Implement Protocols to Ensure Consumer Rights
Right to Notice – The consumer has the right to be properly notified which categories of personal information will be collected.
Right of Access / Right to Request – The consumer has the right to request free of charge, by mail or electronically, all personal information that has been collected and used.