Even GDPR-compliant Privacy Policies will need some changes to become CCPA-compliant, however, so read on to find out what requirements the CCPA has.
Does the CCPA Apply to Your Business?
Unlike CalOPPA, the CCPA does not apply to all businesses that collect personal information from California residents. The CCPA is more specific and will affect any business that meets the following criteria:
- Operates for a profit
- Does business in California
- Collects consumer data
As well as at least one of these additional criteria:
- Makes more than $25 million in annual revenue
- Holds the personal information of 50,000 or more consumers, households, or devices
- Earns more than half of its income by selling the personal data of consumers
To clarify, a business must meet all of the first three numbered conditions and at least one from the second bulleted list to be considered a part of the CCPA's jurisdiction. Here are a few more clarifications:
- "Doing business in California" includes businesses that are located or operated from the state of California, as well as companies who are subject to California taxes or make sales into the state of California.
- Personal data is defined by the CCPA as any information that does or potentially could be used to identify an individual or household, including 'anonymous' data such as IP address, geolocation, and website activity logs.
- When the CCPA refers to "selling" consumer information, this term also includes sharing personal information with third-parties for "valuable consideration." The term valuable consideration has not yet been defined, so it is unclear how this concept might be interpreted in business practices.
In short, the CCPA applies to many businesses in the United States, but not all. It is narrower in scope than many other privacy laws, but no less expansive in its requirements.
What Are the Differences Between the CCPA, CalOPPA, and the GDPR?
Here are some of the differences between the three laws that may directly affect your business:
- Personal information - The CCPA extends the definition of personal data to include anonymous website activity logs, even if they don't involve IP addresses. Neither the GDPR nor CalOPPA defines defines personal information so broadly. There is no special consideration under the CCPA for "special" or "sensitive" categories of data, however, as is the case with the GDPR.
- Children - The GDPR defines a child as an individual under the age of 16 while COPPA's rule is below the age of 13. The CCPA is more specific. For the CCPA, an individual under the age of 16 must provide opt-in consent for their personal information to be sold. Children under the age of 13 must provide valid parental consent in order for their information to be sold.
- Legal basis - The CCPA does not require companies to establish a legal basis or obtain consent in order to collect personal data, as does the GDPR, except for when sharing the data of minors or offering financial incentives in exchange for personal information.
- The GDPR requires the business to publish contact details and many regulation specifics, such as the right to lodge a complaint. The details that the CCPA requires is far fewer.
- The CCPA requires businesses to disclose which categories of consumer data they have shared within the past 12 months, which is not required by GDPR or CalOPPA.
- Right to Erasure - The right to erasure under the CCPA is virtually universal. Where the GDPR allows for businesses to retain consumer data if they have a legal basis to do so, the CCPA allows for very few exceptions. Time constraints also differ slightly between the two regulations.
- Right to Object - The GDPR grants EU consumers the right to object to all data processing, but the CCPA only allows consumers to object to the sale of their personal data to third-parties. However, once a consumer has objected to third-party data sharing, the business must comply without exception, while the GDPR does allow for some exceptions.
- Right to Access - Both the GDPR and CCPA grant consumers the right to know what information has been collected about them. Under the CCPA, the business only needs to inform the consumer about the information that has been collected, used, or shared within the past 12 months, however, while the GDPR requires that the business reproduce all consumer data.
- Right not to be subject to discrimination for the exercise of rights - The CCPA is the only regulation that specifies this provision. Under the CCPA, businesses may not refuse goods or services to individuals who exercise their consumer rights.
- Other differences - The CCPA does not address some items that are included in the GDPR and CalOPPA, namely the right to rectification, automated processing, and Do Not Track (DNT) signals.
The final difference, and possibly the most crucial, is a new approach to punitive damages for businesses who do not comply with the CCPA. If an applicable business doesn't comply by January 2020, the CCPA makes it possible for the business to be fined up to $7,500 per infraction.
To be clear, per infraction means per person. A business that mishandles the personal data of 1,000 consumers could be fined $7.5 million, just like that. There is no cap on this type of penalty.
Wait, there's more. The CCPA always grants citizens the right to seek civil damages from businesses who violate their privacy rights.
In short, if your business falls under CCPA jurisdiction, compliance is a must if you want to avoid potentially enormous financial penalties.
Conduct a privacy law self-audit to make sure you're prepared.
1. Be Transparent
- The categories of personal information you have collected in the past 12 months
- The sources for each of those categories of personal information
- Your purposes for collecting each category of personal information
- How each category of personal data is shared and why
- If personal information was sold for monetary gain or valuable consideration, list those categories of data that were sold
- If your business does not sell consumer data, make sure to mention this as well
Since GutHub does not sell personal data for monetary gain, it includes this point as well:
2. List Consumer Rights
- The right to know which personal information is being collected
- The right to know if personal data is being sold or shared, and to whom
- The right to object to the sale of personal data
- The right to access one's own personal information
- The right to equal service and price, even for consumers who exercise their privacy rights
Techbuyer lists these rights in detail within its CCPA Privacy Notice, beginning with the right to access:
The remaining rights are listed below the first, each containing details pertaining to the types of information collected, shared, or processed.
3. Describe How to Exercise Consumer Rights
Beyond listing out consumer rights, the CCPA also requires that you post instructions on how consumers may exercise those rights. It will be necessary to post at least two different contact methods that consumers may use to make requests in regards to their rights.
Again, Techbuyer includes a good example of how this is done:
In addition to the contact methods described above, you must provide a dedicated link for users to opt-out of consumer data sales. Of course, if your business does not sell consumer data for "monetary or other valuable consideration", than you can disregard this step.
The same link (with the same specific wording) should also be placed on your homepage or within your footer bar.