The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2019, and goes into effect on January 1, 2020. However, it has been covering Personal Identifiable Information (PII) data since January 1, 2019. This article will give you an in-depth look at the regulation and how it applies to your company.
Are you ready for CCPA compliance? The cost of a data breach has increased exponentially as the size of data breaches increase. The 14th-annual Cost of Data Breach Study found that the average cost of a data breach was $3.92M, which on average took 279 days to identify and contain. As more and more countries/states are enforcing strict privacy laws that protect consumers, violations of data privacy regulations could cost you millions.
To avoid hefty fines and headaches reach out to the experts at Axis to take care of your data compliance. With over 25 years of data privacy experience, Axis will design a business process and software implementation that will enable you to avoid hefty fines.
What does CCPA do?
The following is a summary of the rights it affords consumers:
- Right to know all personal data collected by a business
- Right to say no to the sale of personal data
- Right to delete personal data
- Right to be informed of what categories of personal data will be collected before its collection, and to be informed of any changes to this collection
- Mandated opt-in before sale of children’s information (under the age of 16)
- Right to know categories of third parties with whom personal data is shared
- Right to know categories of sources of information from whom personal data is acquired
- Right to know the business or commercial purpose of collecting personal information
- Private right of action when companies breach personal data
What is considered PII under CCPA?
Information typically considered PII under state breach laws, such as names, unique personal identifiers, account names, social security numbers, driver’s license numbers, passport numbers, and biometric information.
- IP addresses
- “Characteristics of protected classifications under California or federal law,”
- Commercial information (defined to include personal property records or purchasing history)
- Geolocation data
- Internet activity (including browsing and search history as well as web tracking data)
- Professional and employment information
- Education information.
- “Audio, electronic
- olfactory or similar information” and “inferences drawn” from any of the information contained in the definition.
Household vs Individual Data
What is household data vs. individual data? Let’s say a husband and wife or a family unit share a joint account on a movie-sharing service. Will you record their behavior and purchases as individuals or as a group? Or both?
Which organizations must comply with CCPA?
Organizations impacted by CCPA are defined in Section 1798.140(6)(1)(A-C). At least one of the following must be true for your organization:
- $25M+ annual gross revenues
- 50K or more consumers, households, or devices have personal information you buy, receive for commercial purposes, sell, or share for commercial purposes each year.
- 50% or more of your annual revenue is derived from selling consumers’ personal information.
CCPA applies to you as a company if the following apply:
- You’re a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of your shareholders or other owners. As written, CCPA doesn’t appear to apply to non-profit organizations, but this is one of many items the California Attorney General and/or state legislature will further clarify.
- You “do business in” California. This phrase isn’t defined in the CCPA, but you may assume that it applies to any business, whether or not geographically located in California, that collects and/or sells the personal information of California residents, which would be consistent with California’s tax and corporations codes.
- You collect consumers’ personal information, or someone collects it on your behalf. “Collect” means to buy, rent, gather, obtain, receive, or even accesses information, by any means, whether actively or passively, including by observing a consumer’s behavior.
- You alone, or jointly with others, determine the purposes and means of the processing of consumers’ personal information.
What fines can companies be subjected to?
- $7,500 in fines for every intentional violation
- $2,500 in fines per non-intentional violation
- $100-750 in damages awarded in individual or class-action lawsuits per violation
What do you need to provide the consumer if you collect PII?
If you collect personal information about a consumer you must provide
- Categories of personal information your business has collected
- Specific pieces of personal information your business has collected
- Categories of sources from which the personal information was collected
- The business or commercial purpose for the collection
- Categories of third parties with whom your business shares the personal
If you sell or disclose personal information about consumers you must provide:
- Categories of personal information you have collected about the consumer
- Categories of personal information you have sold about the consumer
- Categories of third parties to whom the personal information was sold (organized
- by category of personal information for each third party)
- Categories of personal information you disclosed about the consumer for a
- business purpose.
What do I need to provide if I acquire data from a third party?
You will need to know every party involved in data collection, storage, computation, sharing, and selling and the operational details of exactly what they do and where they do it. If you receive data from third parties about consumers, you must be able to track the sources and respond appropriately to any requests you receive from your partners. If you disclose data to third parties to enrich, share or sell data downstream, you’ll need to review and possibly renegotiate contracts. You should ensure contracts require third parties to abide by CCPA and/or restrict their use or sale of personal information for all consumer data.