CCPA and Businesses

Impact of CCPA on Business
The Californian Governor Jerry Brown signed the Californian Consumer Privacy Act (CCPA) into law in June 2018. The CCPA has revolutionised the data privacy rights of Californian residents. CCPA offers new rights to consumers over their data and has introduced new penalties and fines for organisations that fail to comply with its rules.
It is easy to draw a comparison between CCPA and the EU’s General Data Protection Regulations (GDPR). GDPR introduced new standards for data protection in Europe in addition to granting EU residents new rights. Business across the globe have had to change their business practices to be permitted to continue operating within the EU. Although CCPA focusses on consumer rights and not data protection, it will still force business to change how they collect, handle, and use consumer data.
CCPA and Businesses
It is essential that any organisation that is required to comply with CCPA become thoroughly familiar with the legislation. If a business violates CCPA, they can be subject to substantial civil penalties. Section 1798.155(a) of Title 1.81.5 subsection (a) states that California’s attorney general can bring an action against any company or person violating the CCPA for up to $2,500 as allowed by Section 17206 of the Business and Professions Code.
Businesses that fall under CCPA’s jurisdiction must be fully compliant with the legislation from 2020 when the legislation comes into effect. This article outlines some of the most critical aspects of CCPA for businesses.
CCPA’s Scope
Any business that collects consumers’ personal information which does business in California and which satisfies one or more of specific criteria must comply with CCPA. The criteria are as follows:
• has annual gross revenues over twenty-five million dollars ($25,000,000);
• possesses the personal information of 50,000 or more consumers, households, or devices; or • earns more than half of its annual revenue from selling consumers’ personal information.
The physical location of the business is not necessary; as long as the organisation fits the above criteria, it must comply with CCPA. Exemptions to these rules are found on CCPA’s website.
Whom does CCPA protect?
CCPA defines “consumers” as natural persons who are California residents. Californian residents are protected by CCPA even if they are outside of California for short periods. Businesses must still comply with CCPA if a Californian consumer’s data is collected while they are outside of California.
What data does CCPA cover?
Any organisation that handles, collects, or uses personal information of Californian residents must comply with CCPA. CCPA defines “personal information,” or PI, as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Personal information may include but is not limited to, online identifiers, IP addresses, email addresses, biometrics, products or services purchased, browsing history, educational and employment information, and profiling information based on inferences.
Businesses and Consumer Rights
CCPA grants new rights to Californian residents over their data. These rights include:
• Right to information and access • Right to portability
• Right to erasure
• Right to opt-out
• Right to equal service
Any business that has been affected by GDPR will be familiar with some of these rights. Businesses may find themselves needing to alter certain practices, such as data collection or data storage methods, to become CCPA-compliant.
For example, businesses will put information on in their privacy policies and websites informing consumers of the right to opt-out of the sale of their data. Businesses must provide clear and straightforward ways for consumers to opt out, such as toll-free numbers and online forms which clearly state “Do not sell my personal information.”
Conclusion – Complexity
CCPA is a complex piece of legislation and businesses must pay careful attention to its stipulation to ensure compliance. Although the initial costs of changing businesses practices can be steep, it is worthwhile to avoid the penalties and associated reputational damage if a violation were to occur.
It is likely that other states will follow in California’s footsteps and introduce legislation improving the data privacy rights of their citizens.