What is the CCPA?
In June 2018, California legislators passes the California Consumer Privacy Act (CCPA or CaCPA), to come into effect from January 1, 2020. It is set to be the most comprehensive data privacy law in the United States and will change the way businesses collect and manage personal customer data.
- California was the first U.S. state to pass a GDPR-like law (CCPA)
- The CCPA regulates the collection, use, and transfers of personal information about California residents
- The CCPA creates new consumer access, deletion and opt-out rights
- The CCPA remains subject to further amendment
- An organization must show that “it has some technology in place” to avoid fines and lawsuits
- The CCPA can lead to class action suits
- Businesses have 30-day’s notice to address any violation and confirm that no further violations will occur
Who must comply?
- Businesses that collect personal information of California residents
- Businesses that do business in California – such as engage in any transaction
Businesses must also exceed one of three thresholds:
- Annual gross revenues is above $25,000,000; OR
- Derives at least 50% of annual revenues from the sale of California consumers’ personal info; OR
- Annually obtains (buys, sells, receives, transfers or otherwise shares) personal info of at least 50K+ California consumers, households or devices
- Collection can be active or passive and is interpreted broadly
- Easy threshold to hit – websites capture IP addresses
The CCPA Legislation
Opt-out from sale of personal data
- Organizations must provide consumers with a clear way to opt-out of the business’ sale of the consumer’s personal information
Notice of data collection and purpose
- Consumers must be presented right to information about the business’ collection, sale and other disclosure of the consumer’s personal information collected. This includes disclosure of categories of personal info collected, transferred/sold (to whom info is sold, by category, for each third party) and business purpose for disclosure
Access to data collected
- Organizations must provide the right to access personal information collected. There must be minimum two methods to submit requests and an organization must respond within 45 days
Right to erasure of personal data
- Right to erasure/request deletion of personal information collected by the business
The CCPA: Data leakage prevention
It is advised that lack of compliance with the CCPA legislation can lead to class action lawsuits.
To avoid crippling lawsuits, fines and brand damage, ensuring that the data which is collected via a website is protected is essential to comply fully with the CCPA mandates. Businesses will have 30-day’s notice to address any violations and confirm that no further violations will occur.
Third-party website technologies are a target for cybercrime groups due to their numerous vulnerabilities and are often a blind spot for organizations, leading to serve data breaches.
Solution: CCPA compliance and data leakage prevention
Our enterprise solution enables protection against website data leakage and cybercrime groups, as well as full global regulation compliance with CCPA and GDPR legislation. Through our data privacy solution organizations have the ability to fully comply and provide the following functionality:
- Enable “do not sell my personal information” functionality
- Clear “opt out” of data collection
- Disclosure and choice selection for categories and types of data collected and sold (tracking, site personalization, social media). Including documentation of where information is sold and each third-party.
- Full event-level reporting on opt out, notice, collection and erasure data