What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a comprehensive data privacy law that will go into effect on January 1, 2020. The new consumer information security framework will have a major impact on both consumers and businesses because the regulations apply to any companies – no matter their location – that collect personal information and other consumer data from residents of California. This includes handling names, addresses, social security numbers, credit card numbers, IP addresses, and more.
Originally signed into law in mid-2018, the version going into effect in 2020 contains several amendments to better protect the state residents’ privacy rights. California’s CCPA amendments primarily clarify the original provisions but also covers any data related to customers, including both individual consumers and entities, plus vendors and employees.
With the CCPA, California is paving the way for modern privacy policies in the United States.
CCPA requirements: Does your business fall under CCPA regulations?
With the updated CCPA regulations, California is primarily seeking data security for its residents and their privacy rights. Businesses need to comply with the California Consumer Privacy Act to stay in operation, as the California attorney general will require compliance for any for-profit organization that falls under the new privacy law’s jurisdiction. Whether or not you are in California, CCPA applies to your business as long as you are collecting data from Californian residents.
In its attempt to protect Californian consumers, the CCPA also prohibits companies from discriminating against consumers when it comes to the availability and price of their goods and services. While this kind of policy can appear misplaced in a privacy law focused on consumer data protection, its purpose is to allow consumers to opt-out of the sale of data.
Similar to Europe's General Data Protection Regulation (GDPR), though with some key differences, the CCPA law is directed at organizations that handle consumers' personal information.
If your business handles vendor, consumer or workforce data of any California residents, your organization will need to be in full compliance with CCPA requirements. Businesses must also comply if they meet at least one of the following:
- Generates gross annual revenue of $25 million or more,
- Obtains personal data from 50,000 or more individuals, households or devices based in California
- Produces 50% or more of your yearly revenues from selling personal information
If your company can be described with any of the criteria above, then you will need to start preparing for California’s new privacy law framework – if you haven’t already. Because there are penalties.
Once you have been made aware of your noncompliance, you have 30 days to remedy the problem. Otherwise, you can be slapped with a $2,500 fine if your non-compliance was found to be unintentional. If it’s found that you’ve ignored your responsibilities under CCPA intentionally, you can be fined up to $7,500. And those penalties are outside the cost of settling statutory damages for individual consumer suits, which can range from $100-$750 per case.
Integrating CCPA law with your business processes
While the exact CCPA data privacy guidelines are still evolving, there are many facets of the upcoming privacy law that we already know.
Our CCPA compliance checklist includes the following:
-
Data mapping to outline which platforms within your organization are collecting personal information, why that data is being collected, how it’s stored and how it flows through your systems and externally, including how you deal with third parties
-
Informing consumers of your organization’s privacy policy, including a pop-up privacy notice upon the first visit to the site
-
Enable consumers to request all information on the personal data collected on them by your organization
-
Provide a method to delete all personal information after a request to do so is verified
-
Ensure proper data security measures are in place
-
And much more.
CCPA compliance with Zero Data
VGS vaults your users’ sensitive personal information, such as a consumer’s social security number and IP address, replacing the underlying value with an alias that enables you to interact with your sensitive data through the entirety of its lifecycle without needing to possess the data itself. This series of reasonable security procedures is called the Zero Data approach to information security.
Using VGS’ tools to classify data and control where it is sent, you can swiftly achieve CCPA compliance. This reduces your liability in case of a data breach and gives consumers peace of mind.
With VGS, businesses can now take advantage of the easiest approach to reducing their CCPA compliance burden, bypassing many of the more complex CCPA regulations and challenging elements of the upcoming data privacy framework.
The California Consumer Privacy Act (CCPA) takes a broader view than the GDPR of what constitutes private data. CCPA gives Californians the right to forbid companies to sell their information to third parties.