What Is CCPA, and What Will It Bring in 2020?
The California Consumer Privacy Act (CCPA), one of the biggest privacy laws, just went into effect. Learn about the regulation and the requirements companies must follow.
What is the CCPA Regulation?
January 1, 2020 marked the official start of the California Consumer Privacy Act (CCPA), the newest data privacy legislation enacted to protect private information gathered from California residents — nearly 40 million people. In response to increasing amounts of personal data that companies can gather and use, the act intends to protect personal information of California residents.
Similar to the General Data Protection Regulation (GDPR) in Europe, the CCPA provides the consumer with rights regarding the protection and storage of their personal data online. Read more to learn how to comply and how CookiePro can make compliance with CCPA simple.
The CCPA Timeline
- June 28, 2018 – AB 375 signed into law and Mactaggart’s ballot initiative withdrawn
- September 23, 2018 – Senate Bill No. 1121 signed into law, modifying the CCPA
- January 1, 2019 – Data mapping and recordkeeping requirements start
- October 10, 2019 – The California Attorney General, Xavier Becerra, released the proposed text for the CCPA Regulations.
- October 11, 2019 – California Governor Signs CCPA Amendments into Law
- January 1, 2020 – CCPA goes into effect
- Spring 2020 – Attorney General regulations expected to be finalized
- July 1, 2020 – Enforcement begins
Does the CCPA affect me?
The CCPA affects for-profit businesses who meet one or more of the following criteria:
- Annual gross revenue over US$25 million
- Buys, receives, or shares personal information of 50,000 or more consumers, households, or devices per year.
- Derives at least 50% of annual revenue from selling California residents’ personal information.
The CCPA also impacts service providers that process personal information and third parties that receive or purchase personal information.
Non-profit organizations aren’t affected by the CCPA.
What kind of data does the CCPA cover?
The CCPA defines personal data as anything that “is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples include name, browsing history, search history, postal address, IP address, email address, social security number, driver’s license number, and geolocation data. The law also addresses emerging technology by including biometric data, such as DNA or images of the eyes, fingerprints, hand, and face.
What are consumer rights for the CCPA?
The CCPA outlines a few rights that companies must adhere to when handling the personal data of California residents, also referred to as consumers.
Residents of California have the right to know what personal data is being collected about them and the right to request that this information be deleted. They will also have the right to know the details of how their data is being used, who the data is sold to or shared with, and they can request that their data not be sold to third parties. In addition, Californians will have the right to request access to their personal data. Here are the rights in detail:
- Right to Notice: Businesses must tell consumers which categories of personal information will be collected at or prior to the point of collection and how the personal information will be used.
- Right to Access: Consumers can request access to any personal information that a business has stored about them. The CCPA also has a “lookback” rule, which allows consumers to make a request for records covering a 12-month period preceding the request.
- Right to Delete: California consumers can request that their personal information be deleted. Businesses must delete any personal information as deemed under the CCPA including name, email address, social security number, driver’s license number, passport number, and other forms of data.
How does the CCPA affect cookies?
Cookies collect and store information on your website. The information is often unique and identifiable, which is all subject to the CCPA. The CCPA requires that businesses who meet the criteria outlined comply by including a cookie banner, preference center, and include a “Do Not Sell” link so consumers have a choice to opt-out in the collection of their data.
Having an all-in-one solution for scanning and categorizing cookies ensures that you can take steps to comply with the requirements of CCPA. CookiePro is the go-to software for scanning, categorizing, and making CCPA compliance simple. In addition to scanning for cookies, CookiePro automates the intake of California consumers’ requests to access and delete identifiable information.
How does the CCPA affect the sale of personal information?
Under the CCPA, consumers have the right to tell companies to not “sell” their personal data that has been collected. The law requires this feature be prominently advertised with a link or button that reads “Do Not Sell My Personal Information.” The link or button should take you to a page with more information, including how you can make the request—such as through a web form, email address, or phone number.
CookiePro offers different solutions that enables companies to add a “Do Not Sell” link or button in its cookie banner, preference center or directly on the website. Check out the solutions here.
How does the CCPA affect mobile apps?
Beyond websites, the CCPA also impacts how mobile apps collect and store personal data. Information collected on mobile apps is unique and identifiable, so detecting and categorizing cookies and other tracking data in your app is equally important.
By leveraging these tools, organizations can implement privacy by design into their mobile strategy and collect consent, scan for tracking technologies and unknown SDKs, and give both privacy and mobile app development teams visibility into how their app is sharing data with third parties.
CCPA in 2020
Data privacy is not a new topic, but it really started making headlines last year inspired by major data breaches and leaks. The European Union’s General Data Protection Regulation (GDPR) has been in effect for over a year and has inspired other legislative efforts around the world, such as CCPA, SB-220 and LGPD.
With CCPA in effect, brands have to take notice and adjust their privacy program to meet requirements. Unlike GDPR which is an opt-in law, CCPA is an opt-out regulation. Even though CCPA is specific to the state of California, brands, marketers, advertisers, and publishers need to be thinking about data policies that prioritize consent from consumers.
By getting ahead of CCPA and making privacy a priority, brands can improve customer relationships and build trust. The first starting point towards compliance is understanding how personal data is collected and used in your organization. Learn more here about steps towards CCPA compliance.
Get Started Today
As companies prepare for the CCPA, they must keep in mind that a privacy program needs to adapt and change according to applicable privacy law, as well as each company’s objectives. Regardless of where you are in your privacy program, it’s never too late to start preparing for CCPA compliance. Contact us today if you have questions or click here to learn more about the regulation.