Is your business prepared for the CCPA/CPRA?
There are now two data laws in California to comply with. For California-based businesses and those with Californian customers, they need to ensure they are up to speed with both pieces of legislation. They also have to execute a proper infrastructure - or potentially face financial and civil penalties.
The California Consumer Privacy Act (CCPA) regulates how California-based companies protect the personal information of their customers.
The California Privacy Rights Act (CPRA) has since been passed, adding amendments to the CCPA, effective as of January 2023.
Companies should have a specific and targeted approach to ensure CCPA/CPRA compliance. It can be easy for all data privacy laws to be lumped together and take a one-size-fits-all approach. But being compliant with one law does not guarantee you are compliant with another.
While the CCPA established new data protection rights for Californian residents, the CPRA sought to strengthen those rights and put in place better mechanisms to ensure compliance.
Does the CCPA apply to our business?
If you are a for-profit business that processes the data of California residents - the short answer is most likely. There are several thresholds to cross for the law to apply to you:
If you process the personal information of over 100,000 California residents annually, or
Have a gross annual revenue exceeding $25 million, or
Derive over 50% of annual revenue from selling the personal information of California residents.
Under the CCPA, personal information is defined as including:
direct identifiers (e.g. real names, addresses, social security numbers),
indirect identifiers (e.g. anything identifiable that ties to the consumer or their household).
unique identifiers (e.g. cookies and IP addresses),
biometric data,
geolocation data,
internet activity, and
sensitive information (e.g. health data, religious or political affiliations, etc.).
The CCPA does apply to us, what do we need to know?
The CCPA, as amended by the CPRA, creates several rights for how consumer data is collected, shared, and deleted:
The right to know, i.e. the right to request personal data collected about the customer over the last 12 months be disclosed by the business.
The right to delete the personal information of the consumer.
The right to opt-out of their personal information being sold.
The right to opt-in to personal information being sold for those under 16.
The right to non-discriminatory treatment for exercising these rights.
The right to privately sue for data breaches.
The right to correction of inaccurate personal information.
The right to limit the use of sensitive personal information.
The right to request information about automated decision-making.
The right to opt out of automated decision-making being used on their personal information.
Since the CPRA has come into effect, these rules apply not only to consumers but also to business-to-business (B2B) data and employee data.
What is new from the CPRA?
Businesses need to take extra care with how they handle the information of their employees, contractors, and any third parties they deal with - guaranteeing them the same rights as their consumers.
Since the CPRA was enacted, it has established the California Privacy Protection Agency (CPPA). They enforce the law and the private right of action for consumers. As well as private suits, penalties can range up to $7500 per violation, with each impacted consumer potentially having a right to a separate violation.
The CPRA also means the removal of the “cure period”. This is when companies who breach the law no longer have a 30-day period to right this wrong and consumers can take immediate legal action.
Instead, the California Attorney General or the California Privacy Protection Agency (CPPA) can offer a cure period - but this is not a guarantee.
How to practically implement CCPA/CPRA compliance?
There are a few structural practices you can have:
You must ensure there are the right mechanisms for consumers to exercise these rights. This often comes down to your website and privacy policies.
You must have a properly updated privacy policy that informs customers about the types of personal data you collect, and why at or before the data collection point.
You must give clear and easy means to opt out of their data being sold to third parties.
Proper due diligence needs to be taken with younger consumers - if a consumer is under the age of 16, explicit consent is needed before selling their personal information. For children under the age of 13, a legal guardian or parents must opt-in on their behalf.
Having the correct structures in place makes it easier to avoid fines and lawsuits.
The company Sephora received a large $1.2 million fine for illegally selling data using third-party trackers (cookies), as well as failing to follow consumer opt-out requests.
There can be a lot to keep in mind, but here’s a quick and easy checklist to help manage your compliance efforts:
Carry out regular risk assessments on how data is collected, stored, and shared.
Regularly review your employee and B2B contracts. Ensure the HR team are aware of the company's responsibilities under the CCPA.
Hire a specific data privacy officer or team to handle the bulk of data privacy and cybersecurity issues.
Practice mapping your data so you can see where data is held, where it is sent, and when.
Update and audit your privacy policies on your website. They should clearly define your data governance policy, as well as give consumers all the information needed on how to exercise their rights.
Create tools to protect personal data and regularly audit and review them.