Identity Blog

The California Consumer Privacy Act (CCPA): An Introduction to Compliance

Introduction to CCPA Compliance

 

Every day, societies are becoming more digitized. Instead of speaking to a colleague, you’ll chat online. To hail a cab, just tap your phone screen. Need a doctor? There’s an app for that, too. All of this online activity gives businesses valuable consumer data (e.g., name, age, email addresses). 

However, starting January 01, 2020, the way you collect, store, and share this data may land you in trouble. If you’re unsure how the California Consumer Privacy Act (CCPA) will impact your company, keep reading. This introduction to CCPA compliance focuses on the most common questions that businesses have today. 

For more detailed information, including the major differences between GDPR and CCPA, download our white paper here

For now, let’s start with the basics.

What is the California Consumer Privacy Act?

The CCPA’s goal is to give consumers more information and control over how their personal information is being used. It will apply to all businesses that handle or collect data from California residents. 

What is residency based on? Basically, anyone who pays taxes to the State of California is a California consumer, whether they currently live in the Golden State or not. This California residency law site explains more:

“Under California law, a person who visits the state for other than a temporary or transitory purpose is also a legal resident, subject to California taxation. Even visits can result in residency status. Examples of such visits include an indefinite stay for health reasons, extended stays (usually over six months), retirement, or employment that requires a prolonged or indefinite period to accomplish.”

How do you comply with the California Consumer Privacy Act?

Preparing for compliance can feel overwhelming. In fact, in a recent survey of American companies, nearly half had not begun implementing privacy policies (TrustArc, 2019). 

However, here are three ways you can get started now.

Ensure that your decision-makers and key stakeholders know:

  • What the CCPA is and who it concerns.
  • When it goes into effect: January 1st, 2020.
  • How CCPA rules affect your business practices.

Document and organize customer information, so your company knows:

  • Which personal information is being collected.
  • How personal information is being collected.
  • Where personal information is being stored.
  • Why personal information is being collected.
  • Where personal information is being shared. 

This will help you set up an efficient system for information retrieval should a customer or auditor request that info. Enlisting a Data Protection Officer or a Data Protection Team to handle these requests is a good idea.

Review and update your privacy policies.

A GDPR Privacy Policy will meet CalOPPA/CCPA requirements, but a CalOPPA/CCPA policy might not be GDPR-compliant. To be safe, be sure that your CCPA privacy policy is clearly defined and easily distinguishable from GDPR regulations.

It’s also helpful to train your customer-facing employees on how privacy policies and CCPA compliance can improve customer trust and increase engagement.

Customer engagement after CCPA compliance, privacy, and consent is in place.

Is the California Consumer Privacy Act like the GDPR?

This blog highlights the most important differences between the California Consumer Privacy Act and the General Data Protection Regulation (GDPR). For a more thorough comparison, see our CCPA vs. GDPR  infographic.

1. Transparency 

The California Consumer Privacy Act requires businesses to be transparent in how they handle a customer’s personal information. Failure to comply can lead to a fine of up to $2500 per violation (or $7500 if the violation was intentional) and can damage your brand. 

2. Disclosure 

The California Consumer Privacy Act requires businesses to disclose the following before, or at the time of, collecting consumer data:

  • What type of personal information you intend to collect
  • The source or medium used to collect personal data
  • Why you’re collecting and selling personal information
  • Which third-party will receive this personal information

What’s more, businesses must share this information upon the customer’s request—and show the personal data that was collected. This means that customer data must be readily available for disclosure at any time. In most situations, businesses must also delete a customer’s personal information upon request.

3. Consent

Here’s how the CCPA regulates consent:

With the California Consumer Privacy Act, consumers must see a “Do Not Sell My Personal Information” link on a company’s homepage. This is usually a clearly visible footer on websites offering consumers the option to opt out of data sharing. For customers age 16 or younger, this must be presented as an opt-in choice. Furthermore, businesses cannot discriminate against customers based on their personal information.

What if my company is not compliant?

The CCPA creates a private right of action for California residents to sue companies if their personal information is subject to “unauthorized access and exfiltration, theft, or disclosure.” A defendant company is liable if it violates a duty to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” in the company’s possession. 

However, the CCPA does not explain or define this “duty,” so it will be resolved by judicial interpretation. 

How does the CCPA handle data loss?

This chart shows the average cost of a breach from a 2018 study by IBM Security and Ponemon. The following year, the global average rose to $3.92M.

Average cost of a breach from a 2018 study by IBM security and Ponemon.

The scary thing is how fast this cost can increase every year. In the USA, the average jumped from $7.91 million in 2018 to $8.19 million in 2019. Why is it so high, you ask?

According to the information privacy website iapp:

The risk of identity theft caused by a breach of personal information permits a federal action against the data controller. No actual damage or specific evidence of identity theft is required.

Here’s where the costs can add up: Plaintiffs can seek statutory damages between $100 and $750, injunctive or declaratory relief, or “any other relief the court deems proper.” Actual damages are only recoverable if they exceed the statutory damages. Actions can be aggregated into a class action suit. 

Can software solve compliance challenges?

If the California Consumer Privacy Act feels burdensome to your organization, consider it an opportunity. Privacy is valuable to customers. Therefore, successfully implementing CCPA requirements on time can give a leading edge to your brand.

Thankfully, compliance-ready software solves a lot of your compliance challenges. Here are some examples of how it works.

Challenge: In 2019, TrustArc surveyed 250 American companies of various sizes from different industries. They found that 63% required help getting External Certification of Validation for the CCPA regulations. 

Additionally, over 60% of these companies were unsure about implementing privacy engineering and data transfers.

Solution: Privacy is a legal challenge that can be solved with technology. As experts in customer identity and access management (CIAM), LoginRadius can help your business meet your compliance needs. The LoginRadius Identity Platform is compliance-certified and built for management with all major privacy regulations, including the GDPR and the CCPA. LoginRadius software keeps up-to-date on evolving regulations and new international privacy laws.

Challenge: 56% of American companies need help getting direct marketing consent. 

Solution: The LoginRadius Identity Platform allows for customizable registrations. With this tool, you can disclose your privacy policies and ask for consent that meets global compliance rules. The LoginRadius Identity Platform also helps with age validation and determines which type of consent is appropriate for your customer. 

How does LoginRadius handle consent withdrawal?

With the CCPA, your organization needs to prepare for consent withdrawal. The LoginRadius Identity Platform centralizes all your customers’ personal information. You can document and manage your customers’ consent including withdrawal.

Another core component of the CCPA is providing data access to auditors or customers, should they request it. With the LoginRadius Identity Platform, customer data is unified into one profile for easy access. You can also export it in an easy-to-read format.

Last but not least, LoginRadius provides top-notch security that monitors and protects your customer data. For example, our CIAM software can encourage your customers to use intelligent passwords, protect the data against brute force attacks from hackers, block access to suspicious IPs, and more.

Summary

Following GDPR rules will not automatically lead to CCPA compliance; don’t wait to be sued to find out. Let LoginRadius help your business become globally compliant. Not only does our technology meet GDPR and CCPA regulations, but we continuously update it to meet new international privacy laws.

Need help preparing for CCPA or GDPR compliance? Click here for a free trial or call 1-844-625-8889 today.

Related Posts