The California Consumer Privacy Act (CCPA) was enacted in 2018 and took effect in US from 1st January, 2020. CCPA aims to regulate how the companies can capture, use & distribute the data of its consumers. Even if the business does not operate in California, the website will need to be CCPA compliant if it collects data from the citizens of California. The law currently offers the privacy rights only to the citizens of California state. Here is a list of FAQs which you need to keep in mind regarding CCPA.
What consumer rights come under CCPA?
The following consumer rights regarding data privacy are covered under the ambit of CCPA:
- Right to Know: Transparency about which type of data is being collected or has been collected over the past 12 months & what the company is doing with that data
- Right to Access: Getting the access to all the personal data which has been collected by the company
- Right to Delete: Consumers have the right to ask the business/service provider to delete all the personal data which they have collected and in case they refuse to do so, they will need to provide a suitable explanation for the same
- Right to Opt-Out: Consumers can prohibit the company to sell their personal data to any 3rd party like Google AdSense, they can also opt-out of any of their personal information getting collected by the business/service provider
- Right to Non-Discrimination: The consumers of California should not face any discrimination on the basis of price or quality of the products/services in case they wish to access their privacy rights
- Right to Opt-In: For consumers below the age of 16 years, they can opt-in for their personal data to be collected
- Right to Legal Recourse: In case of data breach, consumers can sue the business/service provider in the court & claim damages upto $750 per consumer per incident
What types of personal information come under CCPA compliance?
Businesses/Service Providers might collect the following types of personal information from their consumers:
- Any personal identifier such as name, alias, address, unique or online personal identifier, IP address, email, account name, social security number, passport, or driving license number
- Commercial data that includes records of property, product or services, or other historical purchase data
- Information being provided by the consumers while filling up online enquiry forms
- Geolocation data
- Biometric data
- Professional information or employee data
- Audio/Electronic/Visual/Thermal/Olfactory information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding interaction with a website, application or advertisement
- Inferences/Specialized Consumer Profiles being made using all the above mentioned data using special tools, services or technology
What businesses come under the ambit of CCPA?
The businesses meeting any one of the following 3 criteria need to adhere to the rules of CCPA:
- The first instance in which CCPA will apply is to companies with over $25 million annual revenue.
- The second criteria states that the company must have data of more than 50,000 “consumers, households, or devices” stored for the residents of California
- The last criteria is that 50% or greater of profits for the company come from the sale of data.
What all you need to do in order to comply with CCPA?
In order to comply with the CCPA guidelines, following changes will have to be made within the website or app of the business/service provider:
- Separate landing page on the website for consumers to raise requests on accessing, changing or deleting their personal data – there needs to be atleast 2 different ways for the consumers in order to exercise this right. Apart from that, the website will also have to provide non-discrimination guarantee along with the data-collection policy
- Opt-out checkbox or hyperlink for “Do not sell my personal data” must be there on the main homepage which must be clearly visible and clickable
How do businesses need to respond to consumer inquiries?
Businesses/Service Providers will have to update their inquiry response teams for responding to consumer inquiries in case they receive any requests from customers on accession, deletion or updation of their personal information:
- If a request is received by the business/service provider for disclosure or deletion of the personal information of some consumer, then it will be necessary to provide the consumer with information which has been collected over the last 12 months
- The consumer will have to be notified within a period of 10 days after a request is received for disclosure or deletion of the information
- Businesses/Service Providers need to have appropriate verification mechanisms in order to verify the consumer making the request so that the personal information is not handed over into the wrong hands
- Corresponding communication & request closure will have to be completed within a period of 45 days of making the request
- When processing the request for opting-out by any consumer, the sale of information is terminated and all parties to whom the information was sold in the previous 90 days will have to be notified
- In case, the business/service provider is not able to or partially able to fulfill the consumer request, it will have to provide appropriate explanation for the same
How does TechAhead assure CCPA compliance for its clients?
We have a clear understanding about the necessary steps required by our clients in order to be compliant with CCPA:
- Front-End Development: Guaranteed creation of a separate landing page for CCPA with all the required details on the front-end along with the necessary opt-out options on the website/app.
- Back-End Development: End-to-end thorough discussion with our clients on what type of data from the consumers will have to be collected & how it needs to be stored so that making updation is easier at the later stage.
- Data Security: Be assured about having appropriate security checks & mechanisms in order to avoid any kind of data breach along with conduction of comprehensive risk assessment & threat intelligence.