CCPA Becomes CPRA - How will that impact how we do business with the US
The California Consumer Privacy Act (CCPA) was passed in June 2018 and went into effect on January 1, 2020. Under this landmark privacy law, and essentially all organisations that do business with California will need to be compliant.
On November 3, 2020, California voted to approve Proposition 24, a ballot measure that creates the California Privacy Rights Act (CPRA). CPRA amends and expands the CCPA and will take effect on January 1, 2023.
What are CCPA and CPRA?
CCPA allows California consumers to request a company to show the information it has collected about them and all the third parties with which the data is shared. The law also allows consumers to sue organisations that have violated the privacy guidelines, even if no data breach has occurred.
Sensitive data covered by CCPA include personal identifiers (e.g., name, SSN, address, etc.,) commercial information, biometric data, internet or other electronic network activities, geolocation data, professional or employment-related information, education information, and more.
Companies will incur penalties if unauthorised access occurs through a breach, exfiltration, theft, or disclosure due to the business' violation of the duty to implement and maintain reasonable security procedures and practices. The law allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
CPRA raises the bar even further by giving California consumers new rights to correct their personal data, opt-out of proximate geolocation tracking, and browse any website with pop-ups.
CPRA also requires companies to minimise the retention of California residents' personal data, further restrict the collection and use of sensitive personal information, provide consumers greater transparency on profiling and automated decision-making, as well as regularly assess high-risk data processors.
How CCPA Compares to GDPR
If you have taken steps to adhere to the EU's General Data Protection Regulation (GDPR,) you should be mostly compliant with CCPA. Both laws focus on information that relates to an identifiable natural person, although some of the definitions differ. Also, both can potentially affect businesses located outside the jurisdiction.
However, CCPA takes a broader approach to defining sensitive data. For instance, it covers audio, visual, and olfactory information, as well as internet browsing history and records of a person's interactions with a website or application. It also protects information linked at the household or device level.
While both CCPA and GDPR allows consumers to request their information to be deleted, CCPA allows businesses to refuse such demands on broader grounds. Also, CCPA only requires parental consent for personal data sales while GDPR's parental consent requirements apply to the processing of all consent requests.
What CCPA Means For Businesses
Although CCPA is a state law, it'll impact any company that does business with Californians. While non-Californians can still enjoy many of the benefits, only California residents can opt-out of the sale of personal data to third parties and ask companies to delete their data.
You'll need to comply with CCPA if your business:
Earns gross revenues of more than $25 million in a year,
Buys information of more than 50,000 users, households, or devices per year, or
Earns more than 50% of revenues in a year by selling users' personal information.
Whether you're currently doing business in California or not, complying with CCPA will give you the advantage of being able to expand into California in the future. Also, you'll get your business ready for the privacy laws that many states are currently working on.
How to Stay CCPA Compliant
First, you should figure out how CCPA affects your organisation. Then, map the consumer data you collect (e.g., how they're gathered and stored) and fine-tune your privacy disclosure. You also need to implement mechanisms for consumers to opt-out and submit other requests. Update your systems and train your employees to ensure adherence to the overall strategy.
Companies that are found to have violated the law will get a 30-day window to address the violation. If they fix the damage and the consumer issues a written notice stating that the incident has been rectified, the businesses can avoid having possible action taken against them.
Final Thoughts: Staying CCPA Compliant is Just Good Business
While the CCPA is designed with consumer interest in mind, it also helps businesses strengthen their data security policy -- which is the key to building trust with consumers, protecting your reputation, and avoiding the high cost of data breaches. In fact, data security is a key component in any digital transformation initiative and adhering to the law can help your company thrive in today's business environment.