COVID-19: Impact Support | Learn More

What Is CCPA and What Does It Mean for Business?

New Data Protection Laws Will Have an Effect Nationwide

The whirlwind passage of the CCPA is part of a larger trend towards the emergence of data protection laws. Digital privacy rights have come under scrutiny after a series of high-profile breaches and revelations that major organizations have routinely collected and sold private information without consumer knowledge.

As global awareness grows of consumer expectation regarding their privacy, CCPA is among the first of many data protection laws which will sweep the country.

The California Consumer Privacy Act constitutes the most comprehensive privacy law in the United States. It was passed in 2018 and aims at companies which collect and sell personal information. Intended to give Californians more control over how their data is stored and used, it introduces ground-breaking data protections by giving residents more control over their private information.

What’s the Difference Between CCPA, CalOPPA, and GDPR?

The rights given under CCPA apply to California “consumers,” meaning residents and employees. These consumers have the right access and delete any collected data, plus opt out of future collection by any company with which they do business online.

In contrast, CalOPPA is the California Online Privacy Protection Act of 2003. It was the first state law in the United States to require commercial websites which collect personal information to post a privacy policy that is visible specifically to California residents. This privacy policy must include certain language as outlined in the bill.

GDPR is the General Data Protection Regulations set forth by the European Union in May 2018. It gives European Union citizens significantly more control over their private data on the internet. Notably, GDPR updates the way websites acquire consumer consent to gather data, outlines clear guidelines for communicating how personal data is used and institutes requirements for proof of user consent.

CCPA, CalOPPA, and GDPR are very different in their application and scope. However, they do all have one critical feature in common—they affect more than just Californian and European Union residents respectively. Any business operating online which may have or interact with residents of either two regions find themselves subject to these laws.

The Scope of CCPA

The CCPA grants California consumers three critical rights when it comes to the use and sale of their data on the internet. These are:

  • The right to access information: Consumers in California are entitled to know which categories of personal information was collected or sold, from where, to whom, and why.
  • The right to data deletion: Consumers in California may request that a company deletes the personal data it has collected about them.
  • The right to opt out of data collection or sale: Consumers in California may direct a company to not collect or sell their information to third parties. The CCPA includes a definition of “sell” which extends beyond a monetary exchange.

The CCPA gives Californians a limited ability to sue any business subject to CCPA when their personal information becomes compromised. However, it gives the state Attorney General much more general ability to sue on behalf of residents.

The CCPA defines personal information as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In other words, any statistic, action, or piece of knowledge which can be linked to an identifiable individual. This broad definition encompasses almost every action within the digital space.

Who Does CCPA Apply To?

Like GDPR will affect American companies with European customers, CCPA will potentially affect non-Californian companies with consumers in the state. CCPA is concerned with any businesses which operates online and collects data from Californians or does business in California—even if that company is not physically located in California. There also exist three additional criteria, and the business must meet at least one. For CCPA to apply, it must:

  • Generate $25 million or more in annual revenue.
  • Possess the data of 50,000 consumers.
  • Earn more than half of its annual revenue by selling consumers’ data.

If one of these three conditions are true, and consumer information includes Californians, then CCPA applies to that business.

Will It Affect SMBs?

The three additional criteria above, known as AB375, are specifically designed to protect small and medium businesses. For companies which do not meet one of the three requirements above, CCPA compliance does not apply and their privacy requirements for Californians remain unchanged.

Likewise, CCPA will not affect SMBs if all aspects of their business occurs outside of California, including the sale of personal data. However, if that business meets one of three criteria above and has even a single California customer, then CCPA will apply.

Nonetheless, there exists significant confusion regarding whether CCPA will apply to a specific business. In a survey of 625 businesses owners and company executives, global IT security leader ESET found that at least a 34% of respondents didn’t know if CCPA affected them, while another 22% claimed to “not care.”

CCPA has the potential to affect SMBs that don’t comply with hefty fines. For companies which may require CCPA compliance, time to start preparing for it is now.

How SMBs Can Prepare for CCPA

SMBs which are on the path towards GDPR compliance will find CCPA compliance slightly easier, even though the latter has a broader scope. For companies which do collect and sell personal information, preparing for CCPA compliance includes:

  • Updating privacy notices and policies. The CCPA requires consumer explicit notification of the company’s intent to collect and sell information “at or before the point of collection.” This notice must include what information is collected and why.
  • Updating data inventory with new classifications. Data stored on the backend must include records of the information’s sale, transferal to third parties, time of collection and sale, plus indication if the information is covered by HIPAA or another data privacy law.
  • Creating procedures to comply with California consumer rights. Companies need a way for consumers to request access to, deletion of, or opt out of the sale of their personal information.
  • Reviewing site and business security. The CCPA requires “reasonable” personal data protection. For SMBs, a managed service provider may lighten this burden.
  • Training staff. Train staff on what CCPA is, what its compliance requirements are, how to handle the new procedures, and how to handle potential incidents.
  • Starting now. When the CCPA rolls out on January 1, 2020, Californian consumers will be able to request data collected up to 12 months prior. Businesses must be able to provide records of collected and sold data as far back as January 1, 2019.

Key Takeaways

  • CCPA is the most far-reaching and comprehensive data privacy law in the US. It confers certain rights to California consumers regarding the collection, use, and sale of their data online.
  • Although the law has certain exemptions designed for SMBs, it can still potentially affect these companies.
  • CCPA requires significant changes to how notices are given to consumers, as well as how businesses store, classify, and protect personal information.
  • The ability of California consumers to request data collected up to 12 months prior means that businesses need to start preparing for CCPA compliance now.

Digital privacy laws are emerging on national and global levels. Impact Networking can help your business prepare. Start a conversation with our nearest office today to learn how CCPA affects you.