California Consumer Privacy Act (CCPA)
What is the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) exists to provide California residents with more control over their data and information on how it is being used. For businesses, this means policies must adapt so that customer data is readily available for disclosure at any time.
The Act states that businesses must disclose:
- The type of personal information that will be collected
- The source or medium used to collect user personal data
- The reason why personal information is being collected
- The third-parties that will receive this personal information
Who Is Affected?
If you live in California, you are affected! You now have more total control over your information, which means the ability to inquire about all the data a company has about you and even request your personal data be deleted.
This also affects businesses that manage or collect data from California residents. It’s important to note that your business does not need to be in California for this Act to affect you, so be sure you’re prepared. To be more specific, affected companies are those that serve California residents and have at least $25 million in annual revenue, have personal data on at least 50,000 people, or that collect more than half of their annual revenue from the sale of personal data.
According to Attorney General Xavier Becerra, officials will be keeping tabs on “sensitive, critical data,” but full-scale enforcement is not expected until July 2020.
For the procrastinators out there, get started! This Act went into effect on January 1st, 2020. Businesses are encouraged to not only update privacy policies, but to determine which employee’s will be responsible for handling consumer requests for information and the deletion of that information. A process should also be put in place regarding data protection and storage.
Smells like GDPR?
For those of us that scrambled to be compliant with GDPR in 2018, this should seem awfully familiar. However, the goal of both of these regulations is to increase transparency from companies. Just as you do not need to be based in Europe to be obliged to GDPR, you don’t need to be based in California to be obliged to CCPA. As such, no matter where you’re based, you must comply with a consumer’s requests to access their data and delete whichever personal information they so choose.
Both GDPR and CCPA require businesses to attain consumer consent before collecting their information. GDPR requires consumers to opt-in, while CCPA dictates that a business must provide a “Do not sell my personal information” option. Both regulations also mandate that a minor receive parental consent if they are under either age 13 or 16.
You’ll also see fines for noncompliance. While GDPR fines 4% of annual global turnover or €20 million – whichever is greater, CCPA offers a slightly more palatable maximum fine of $2500, with this number increasing to $7500 only for intentional violations.
Broadly speaking, A GDPR Privacy Policy is more strict and will meet your CCPA requirements. In that regard, you can repurpose your current GDPR policy, but don’t expect your CCPA policy to be GDPR compliant.
CCPA Solution
RiskWatch keeps you protected and compliant with CCPA through our intuitive software. Our platforms effectively allow you to standardize and automate assessment functions such as data collection, analysis, reporting, and remediation. Your platform will also serve as a central repository for all documentation, allowing you to store CCPA policies and proof of compliance in case of an audit or incident.
Just select our CCPA content library and have a member of your staff complete the survey. The software then shows you overall compliance, risk, and offers tasks for remediation. Our customizable report templates even let you generate a C-level report with any data selected from your assessment.