The California Consumer Privacy Act (CCPA) is the new privacy policy enacted to regulate how business use the customer data. It was put into action to enhance the consumer protection and the privacy rights of the residents of California, United States. The CCPA was signed into law by the government of the State of California on June 28, 2018 and got amended in September 2018.
Businesses usually collect a lot of information of their consumers, employees, and prospects. This includes the identity information, health information, geolocation data, biometric data, and financial and asset information (and many other types of personal information).
Now before CCPA,
This new privacy policy expands many consumer and privacy rights of the Californian residents. It encourages businesses transparency, gives good amount of control to the consumers on how their personal information will be used and aims at reducing the data misuse.
Here's a list of personal information specified by the law:
Here are the 6 rights that Californian residents can now exercise on their personal data:
A consumer has the right to get informed about all its personal information collected by the business. A consumer must be notified about how are they collecting this information, what are they using it for, and whether and to whom is this data getting disclosed.
The CCPA requires covered businesses to honor the consumer requests pertaining to access to their personal information.
CCPA leaves behind the publicly available information. Publicly available is something made lawfully available by the federal, state, or local government records. However, the information is not publicly available if it is used for a purpose that is not compatible with the purpose for which the information records are maintained.
Upon receiving a request to access the information, business must provide the following information -
Californian consumers can exercise their right to request a business to delete their personal information under the CCPA. The service providers must be instructed to delete the data with immediate effect. As per the law, businesses will have 45 days to comply with the request. It's mandatory that their privacy policy mentions the availability of the deletion right.
Business are required to provide a clear and conspicuous link titled “Do Not Sell My Personal Information” on their homepage and in their privacy policy under the CCPA. The link must take the consumer to an internet web page enabling a successful opt-out of the sale of its personal information.
Businesses should be aware of the fact that the opt-out requirement of CCPA is modified for kids (below 16 years old). Therefore, instead of the general opt-out, the business must collect opt-in consents.
Between 13 and 16 years of age, the consumer must affirmatively authorize the sale of their personal information. For a child less than 13 years old, a parent or guardian must affirmatively authorize the sale of information.
Businesses covered under CCPA are prohibited from causing any kind of discrimination to Californian consumers for exercising their rights. This discrimination includes, but isn't limited to:
However, if the difference is “reasonably related to the value provided to the business by the consumer’s data”, CCPA does allow businesses to offer different prices or biased services. Companies can also offer financial incentives to consumers in exchange for the collection or sale of their personal information.
There's been some confusion amongst businesses that everybody has to comply with the CCPA. As per the law, the for-profit entity doing business in California that currently collects and controls the processing of a consumer’s personal data must comply with the CCPA.
It applies to businesses that fall under ANY one of these three categories -
Businesses generating over $25 million in annual gross revenue.
Businesses collecting, sharing, buying and/or selling the data of at least 50,000 consumers.
Businesses making at least 50% of its revenue from the sale of personal information.
The compliance date for the implementation of CCPA is January 1, 2020. Whereas the enforcement deadline is July 1, 2020. The effective date was kept 18 months from the passage of the law. This deadline was shorter than what the European Union gave businesses to prepare for the General Data Protection Regulation (GDPR).
Businesses that are covered under the law but fail to implement the solutions to handle the right to access, the right to delete, the right to opt-out/opt-in, and the other requirements of California’s new privacy law, might have to face penalties.
$100-$750/consumer per incident
As a Data Processor, iZooto provides a round-the-clock support to all the customers (Data Controllers). If you have any particular data requests, please reach out to us at support@izooto.com and in case of queries related to the CCPA policy, drop us a line here at legal@izooto.com.
Sign up on iZooto and start growing and engaging your audience. 2 Weeks Free Trial