Understanding The Policy
The California Consumer Privacy Act (CCPA) is the new privacy policy enacted to regulate how business use the customer data. It was put into action to enhance the consumer protection and the privacy rights of the residents of California, United States. The CCPA was signed into law by the government of the State of California on June 28, 2018 and got amended in September 2018.
Californian Consumer Rights Before The CCPA
Businesses usually collect a lot of information of their consumers, employees, and prospects. This includes the identity information, health information, geolocation data, biometric data, and financial and asset information (and many other types of personal information).
Now before CCPA,
- No governing body was there to set up any limitations on the unauthorized disclosure of this data.
- Consumers didn't have any control in order to protect their personal information.
- Businesses were not penalized for any kind of violation.
Californian Consumer Rights Under The CCPA
This new privacy policy expands many consumer and privacy rights of the Californian residents. It encourages businesses transparency, gives good amount of control to the consumers on how their personal information will be used and aims at reducing the data misuse.
Here's a list of personal information specified by the law:
- Identifiers: Real name, postal address, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interactions online.
- Geolocation data.
- Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Professional or employment-related information.
- Education information: Data that is not publicly available but is personally identifiable as defined in the Family Educational Rights and Privacy Act. For example, schools may provide external companies a student's personally identifiable information without the student's consent.
- Audio, electronic, visual, thermal, olfactory, or similar information.
Here are the 6 rights that Californian residents can now exercise on their personal data:
Right To Know:
A consumer has the right to get informed about all its personal information collected by the business. A consumer must be notified about how are they collecting this information, what are they using it for, and whether and to whom is this data getting disclosed.
Right To Access:
The CCPA requires covered businesses to honor the consumer requests pertaining to access to their personal information.
CCPA leaves behind the publicly available information. Publicly available is something made lawfully available by the federal, state, or local government records. However, the information is not publicly available if it is used for a purpose that is not compatible with the purpose for which the information records are maintained.
Upon receiving a request to access the information, business must provide the following information -
- The collected categories of personal information (e.g. name, phone number, date of birth)
- The specific pieces of the collected personal information
- The categories of sources of personal data
- The commercial purpose of collecting or selling personal information
- The categories of third parties with whom the personal information is shared
Right To Delete:
Californian consumers can exercise their right to request a business to delete their personal information under the CCPA. The service providers must be instructed to delete the data with immediate effect. As per the law, businesses will have 45 days to comply with the request. It's mandatory that their privacy policy mentions the availability of the deletion right.
Right To Opt-out:
Business are required to provide a clear and conspicuous link titled “Do Not Sell My Personal Information” on their homepage and in their privacy policy under the CCPA. The link must take the consumer to an internet web page enabling a successful opt-out of the sale of its personal information.
Right To Opt-in (Consent for Minors):
Businesses should be aware of the fact that the opt-out requirement of CCPA is modified for kids (below 16 years old). Therefore, instead of the general opt-out, the business must collect opt-in consents.
Between 13 and 16 years of age, the consumer must affirmatively authorize the sale of their personal information. For a child less than 13 years old, a parent or guardian must affirmatively authorize the sale of information.
Right To Equal Service And Price:
Businesses covered under CCPA are prohibited from causing any kind of discrimination to Californian consumers for exercising their rights. This discrimination includes, but isn't limited to:
- denying the sale
- charging different prices
- offering different qualities of goods or services
However, if the difference is “reasonably related to the value provided to the business by the consumer’s data”, CCPA does allow businesses to offer different prices or biased services. Companies can also offer financial incentives to consumers in exchange for the collection or sale of their personal information.
Do I Need To Comply With The CCPA?
There's been some confusion amongst businesses that everybody has to comply with the CCPA. As per the law, the for-profit entity doing business in California that currently collects and controls the processing of a consumer’s personal data must comply with the CCPA.
It applies to businesses that fall under ANY one of these three categories -
-
Businesses generating over $25 million in annual gross revenue.
-
Businesses collecting, sharing, buying and/or selling the data of at least 50,000 consumers.
-
Businesses making at least 50% of its revenue from the sale of personal information.
What Is The Compliance Deadline For The CCPA?
The compliance date for the implementation of CCPA is January 1, 2020. Whereas the enforcement deadline is July 1, 2020. The effective date was kept 18 months from the passage of the law. This deadline was shorter than what the European Union gave businesses to prepare for the General Data Protection Regulation (GDPR).
And, If I Don't Comply With The CCPA?
Businesses that are covered under the law but fail to implement the solutions to handle the right to access, the right to delete, the right to opt-out/opt-in, and the other requirements of California’s new privacy law, might have to face penalties.
Civil Penalties:
- Up to $2500 for negligent violations
- Up to $7500 for intentional violations
Statutory damages:
How Can iZooto Help?
As a Data Processor, iZooto provides a round-the-clock support to all the customers (Data Controllers). If you have any particular data requests, please reach out to us at support@izooto.com and in case of queries related to the CCPA policy, drop us a line here at legal@izooto.com.
.png?width=50&height=50&name=segment%20(1).png)
.png?width=32&height=32&name=testimonial%20(2).png){kind=small}
