The Key CCPA Principles
The California Consumer Privacy Act (CCPA) is revolutionizing the U.S. data protection, introducing stricter measures and setting new standards for the consumer rights of California residents.
The CCPA represents a groundbreaking law in the U.S. legislation history, bringing hefty fines for corporations that don’t establish valid compliance. It was passed in 2018; however, it first took effect on January 1st, 2020.
And we’ve already seen the first lawsuits! However, the fines are not the only reason the large companies are in a hurry to become CCPA-compliant.Establishing a required data policy has become a symbol of a company’s prestige and trustworthy brand identity.
Lawmakers project that other state jurisdictions will follow this example and that a federal data protection law could even be in our future. However, it remains to be seen. While aiming at preventing massive data scandals, such as Cambridge Analytica, some law experts argue that CCPA has been created “in a rush” and that there will be changes soon. However, don’t worry, here you’ll find all the latest updates.
First, you need to follow the current key CCPA principles. Thus, let’s check them out and see if they apply to your company!
A. CCPA vs. GDPR
There is a statement that the CCPA policy is modeled on the GDPR clauses. Both policies’ foundation is the intention to give consumers more control over their data, starting the era of digital rights. While there are similarities in terms of data privacy, there are also significant differences. Thus, if your company has GDPR compliance but also collects data of Californians, you would need a complete CCPA compliance as well. Here, GDPR is just a head start.
B. Who Falls Within the Scope of CCPA?
This may be good news for you! Not all companies need to comply with CCPA principles. The CCPA lawmakers have divided organizations into two groups: non-profit and for-profit.
They have introduced specific criteria for the organizations that fall under its jurisdiction. While non-profit organizations don’t need to comply with CCPA’s requirements, all the for-profit organizations that collect the data of California residents must.
A California resident is defined as an individual residing within California. For instance, a New Yorker visiting Los Angeles for a couple of weeks does not fall under CCPA’s jurisdiction, while a resident of Los Angeles visiting New York is subject to CCPA rules.
Additionally, if your company is not located in the state of California, but processes the Personal Identifiable Information (PII) of Californians, you still need to comply. However, there are more company requirements, because not all can carry the financial burden of CCPA.
Additional company criteria:
- $25 million or more in annual revenue
- PII database of more than 50,000 consumers, households, or devices
- More than half of annual revenue is based on PII sales
For instance, if your company has $35 million in gross annual takings, sensitive data of 30,000 website visitors, and you don’t sell PII, you are excluded from the CCPA rules.
However, if you are a CCPA company, then scroll down!
C. How does CCPA Define Personal Identifiable Information?
Under CCPA, PII is any type of information that can be used to identify private bodies, including individuals, households, and organizations. This kind of information is easy to categorize and it can be extremely damaging for an individual if it falls into the wrong hands.
Examples of PII include:
- Name and Lastname
- Home address
- Email address
- IP address
- Date of birth
- Passport number
- Social security number
- Biometric data
- Geometric and other location data
To collect any kind of personal identifiable information you should use forms that consumers can fill in with minimal effort.
D. The Key CCPA Principles
1. Right to access
This is a core CCPA principle. Californian consumers have the right to access (section 1798.100) the categories and personal information a company has collected on them at any time they find suitable. When a company receives the access request, they need to provide a complete data document as soon as possible.
The questions you are required to answer are:
- What information is collected?
- What is the reason and purpose for data sharing?
- Where did the information originate? ?
- Which third party apps or businesses have access to consumer PII?
The company needs to deliver it in a portable format that enables a consumer to easily read and understand the data as well as to transmit it to another organization. It is important to note that the delivery needs to be free of charge. Even though the consumers have this right, due to a tendency to overuse it, the CCPA lawmakers limited its practice to a maximum of two times in a year.
2. Right of notice
You are not allowed to collect, process, and store any kind of personal identifiable information without sending a notice of such an action to your customers and clients. They need to know what kind of cooperation they are establishing with your company.
This CCPA principle is crucial for preserving your company’s prestigious status and trustworthiness as no customer wants to be in the dark. Today, consumers highly appreciate if a company completely discloses its intentions, functions, and plans. In other words, honesty has never been more valuable for customer loyalty.
According to a Cisco study, 84 percent of consumers indicated that they care about data privacy, both their own data privacy and the privacy of other members of society, and want to have more insights into the collection and processing of their data. Moreover, 48 percent of them have already switched companies due to suspicious data practices.
Today, people have access to information from a plethora of different sources – if you don’t tell them, someone else will. Thus, make sure that you are the first source.
You need to provide with the data on:
- What are the personal information categories you are planning to use?
- Why is the collection necessary?
- With whom do you intend to share their personal information?
- How can they opt-out of any other non-essential data?
You can achieve this notice by adding a well-designed pop-up on your website that will list all the legitimate purposes of data collection. They can further choose if they want to provide you with data that goes beyond the company’s essential needs. The thing you should be especially careful about here is that you are expected to send a notice for any further data collection change, too.
You can design this pop-up, or it may be easier for you if it is a part of your helpdesk software solution that covers all customer needs and complies with CCPA at the same time.
3. Consent
For any kind of valuable personal data, a company must have consumer consent to earn the opportunity to collect it and process it further. When you provide them with a notice you should add consent or rejection options, so they can simply click on them and inform you about their decisions. And it is not easier just for them. You will also have a better overview of their answers that will be carefully recorded in the system.
In a quality database, you will have this information right next to their customer profiles so you have a better picture of the person with whom you are discussing a company issue or their data and purchasing wishes and habits. In other words, you can’t do anything with PII before a customer gives you permission for it. Now the consumer is in charge of their data sharing first.
4. Right to opt-out
The same way you notify them regarding data collection for the company’s internal purposes, you need to inform them about any data sharing or selling to third-party companies. This is how you give them full control over their data. At any phase and for any reason, a consumer has a right to opt-out from data sharing processes and disable your sales in case that is at the core of your business operations.
In the event that you ask them if you can sell their data and they give you their objection, you need to wait for 12 months to ask them again. However, if your business is not based on data sharing, you are supposed to disclose that in your privacy policy sent with the notice regarding data collection practices.
5. Equality
One innovative CCPA principle is the right to equality. This means you must promise your customers that you won’t discriminate against them, i.e. provide lower quality service if they decided to not provide you with their data for non-essential purposes. Those purposes are usually marketing needs or similar. In other words, you shouldn’t make it difficult for them to practice their right to protect their data.
The examples of discrimination are:
- Refusing services
- Giving discounts to customers who gave consent to collect their data for marketing purposes
- Providing lesser quality products
The notice for this CCPA principle shouldn’t be lengthy and ambiguous. Make it short and clear so they can understand it the first time they read it.
5. Right to deletion
Every customer has the right to be forgotten. Thus, they can request a deletion of their data completely if they think it’s a good idea. The same way they request to opt-out, they can request to completely disappear from your database and partner companies’ databases.
However, you also have the right to reject such a request in certain circumstances. You need to be especially careful about how you outline this requirement in your privacy policy at the beginning of your cooperation.
When it comes to your rights you can refuse to delete their PII if:
- You need it for defending or raising a legal claim
- You’ve determined a security incident
Again, you should also provide a brief and accurate explanation of this clause in your privacy policy so that there is no confusion later.
The digital age requires digital rules and that is what exactly the CCPA principles are about. There is an option to comply with the CCPA principles step-by-step. However, that may be time-consuming and you will need a lot of help from law experts. Instead, there is an AI option that can help you solve all these issues within a day, a customer service helpdesk software.