The CCPA becomes affective on 1 January 2020. It is a bill at state level that seeks to protect consumers and further their privacy rights. Consumers within the statute are defined as a natural person who is a resident of California.
The CCPA applies to any business that collects the personal information of Californian residents where personal information is defined as information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly with a particular consumer or (differently to GDPR) household.
Small businesses are exempt from the regulation. The CCPA applies only to businesses who meet one or more of the three criteria: having a gross annual turnover of over $25 million; through its business activities buys, receives, sells or shares personal information of 50,000 or more consumers annually (households or devices),
generates 50% or more of its annual revenue from selling consumer personal data.
Sometimes referred to as ‘California’s GDPR’, there exists some significant difference between how data types and subjects rights are defined. Important differences include that definitions tends to be broader under CCPA and CCPA covers more types of data, (for instance, the CCPA includes inferences made by a business about a data subject). Some of the the rights given under it are more expansive than GDPR yet others are more restrictive. These distinctions will mean that policies and programs in place that have helped your business become compliant in GDPR will need some reworking to be compatible with the requirements of the CCPA.
Under CCPA the 5 consumer rights consist of:
the right to access personal information - categories and specific pieces of personal information;
the right to have personal information deleted;
the right of disclosure; on what categories are collected, from what sources, the given business purpose, how data shared with third parties and specifically what has been shared or sold;
the right to opt out and opt in; which involves the asking the business not to sell data to third parties without the individual’s consent.
the right to non-discrimination - (against a consumer who is choosing to exercising their consumer rights - although financial incentives are permissible, although in terms of level of quality of goods or services offered) will probably lead to the most difficulties. This particular right is regarded as too ambiguous currently and it will only become apparent how it will work in practice as the Attorney General of California irons the legislation and fleshes out the rules in the coming years.
With regard to the opt-in opt-out right, it is mandatory within CCPA that a business’ Website Notice offers a link (clearly showing on the website) that states “Do not sell my personal information”. As with GDPR, a data mapping exercise, staff training, proper privacy notices showing how data subjects can access the information and have internal procedures and policies in place that govern all actions including authentication of data subject are all crucial first steps to be able to begin to manage the new rules of data collection.