Privacy is not a luxury; it’s a necessity. The great Dalai Lama remarked that it is a basic right. In these days of digital connectivity, privacy has become a growing threat for people and businesses alike. To address these concerns and provide consumers with more control over their personal information, the state government of California has established an act called the California Consumer Privacy Act (CCPA). It became operational on January 1st, 2020.
The CCPA is a key piece of legislation that establishes new rights for Residents of California and places duties on companies that gather and use their personal data. This article primarily focuses on how CCPA helps consumers, what CPRA is, and the CCPA/CPRA checklist. If you reside in California or your company extends its services to California residents, it is important to follow these CCPA guidelines. The CCPA introduced a number of rules with the intention of enhancing consumer privacy and data protection.
Here, we’ll go into more detail about how the CCPA helps customers, give a general review of the California Privacy Rights Act (CPRA), and present a CCPA checklist for companies to use in ensuring compliance with both laws.
WHAT IS CCPA/CPRA?
The California Consumer Privacy Act (CCPA) was effective on January 1, 2022, in California. It is a comprehensive data privacy law that was enacted to help California residents. The CCPA helps California residents with their new rights regarding the collection, use, and sharing of their personal information by businesses. It also imposes obligations on businesses that collect and process personal data.
The main and most important goal of CCPA is to enhance the customer’s privacy and provide individuals with more control over their personal information in this digital age. This new law applies to businesses that meet certain criteria, including those that operate in California and collect information from California residents.
The California Consumer Privacy Act (CCPA), revised by the California Privacy Rights Act (CPRA), significantly influences the privacy and data security environment and alters how businesses conduct themselves. It stands as the first comprehensive consumer privacy law in the United States.
WHEN DOES THE CCPA APPLY TO COMPANIES?
The CCPA applies to companies that are for profit organizations and to companies that meet any of the following.
- Having revenue of $25 million or more.
- Buy or sell the personal information of 100,000 or more California residents, or any devices.
- Getting 50% or more of their revenue, which they make yearly by selling the personal data of California residents.
The CCPA rules state that “selling, renting, exchanging, revealing, or otherwise communicating verbally, in writing, or by any other means, personal information about a consumer by the company to any other business of any third party for monetary or other consideration” is considered to be the sale of the personal data.
Citizens of California have been empowered under the CCPA to choose not to have their data sold to third parties, to ask for disclosure of their data that has already been obtained (right of access), and to ask for the deletion of their data. Residents of California also have the right to notification and the right to be treated without prejudice if they choose to use their rights.
WHAT ARE THE CCPA’s RIGHTS?
Residents of California have a number of rights with regard to their personal information under the California Consumer Privacy Act (CCPA). These rights enable people to have more control over how corporations gather, use, and share their personal data. Among the CCPA rights are:
Right to know:
- Consumers have a right to knowledge about how corporations gather, utilize, disclose, and sell their personal information.
- They have the right to precise information about the types of third parties with whom their information is shared, as well as the categories of personal information that are being collected, where it is coming from, and why.
Right to Opt-Out for Sale:
- Customers have the choice not to allow their personal information to be sold to outside parties.
- Businesses must make it easy for customers to exercise this right by including a prominent “Do Not Sell My Personal Information” link on their website or mobile application.
Right to deletion:
- Customers have the right to ask firms to delete any personal information they may hold on them, with some restrictions.
- Businesses are required to remove the requested personal information and instruct any service providers to do the same after receiving a legitimate deletion request.
Right to Non-discrimination:
- Businesses are not allowed to treat customers unfairly if they use their CCPA rights.
- This implies that companies cannot refuse customers who exercise their right to privacy products or services, charge them a different price, or offer them a lower quality of service.
Voters in California enacted Proposition 24, or the CPRA, in November 2020, amending the CCPA and adding new privacy provisions that took effect on January 1, 2023. Consumers will have new rights from January 1, 2023, in addition to the ones listed above, including:
Right to correct:
- The CPRA gives people the right to ask firms to amend any erroneous personal information they may have about them.
- Customers have the right to request that firms update any inaccurate, misleading, or incomplete information they may have about them.
Right to limit:
- The CPRA has introduced a brand-new classification of personal data known as “sensitive personal information.”
- Residents of California will have the option to restrict how their sensitive personal information—including information on their ethnicity, religion, health, sexual orientation, finances, exact location, and more—is used and disclosed.
Residents of California are given a number of significant rights under the California Consumer Privacy Act (CCPA), enabling them to have more control over their personal information. These rights allow consumers and residents of California to have control over and protect their personal data.
THE CCPA COMPLIANCE CHECKLIST
Businesses operating in California or gathering personal information from California citizens have to conform to the CCPA guidelines. Businesses can utilize a CCPA checklist as a useful reference to manage the complexity of the legislation and maintain compliance. This CCPA checklist provides the necessary procedures and specifications to fulfill CCPA duties, safeguard customer privacy, and create accountability for data activities. Let’s move on to it.
Update privacy policies: It is crucial to ensure that privacy policies are in line with the precise criteria of the California Consumer Privacy Act in order for businesses to properly comply with the CCPA guidelines. To promote openness and safeguard the rights of consumers, the CCPA establishes specific clauses and disclosures that must be included in privacy policies.
Methods of Accessibility: Businesses should provide a straightforward process for customers to seek data access and deletion in order to comply with the California Consumer Privacy Act and give consumers an accessible way to exercise their rights.
Verification system: Businesses are obligated to set up procedures for confirming the identification of anyone requesting data access under the California Consumer Privacy Act. The security and privacy of personal information are improved, and sensitive data is protected by preventing unauthorized access by confirming the identity of the requestor.
Data management: Businesses should keep thorough records, data maps, and inventories of the personal data of Californians in order to comply with the California Consumer Privacy Act and swiftly respond to requests for data access and deletion. These tools support firms in understanding their data processes, finding pertinent data, and quickly responding to customer demands.
Opt-out mechanism: An efficient approach to adhering to the California Consumer Privacy Act (CCPA) and respecting user privacy choices is to have an opt-out option on your website. Customers can exercise their right to refuse the sale of their personal information by receiving a clear and easy-to-use opt-out mechanism, which eliminates the need for manual involvement.
Obtain consent for minors: Specific guidelines for the gathering and processing of personal data from children are included in the California Consumer Privacy Act. Before collecting or selling the personal information of children under the age of 16, companies must seek the children’s explicit consent, according to the CCPA guidelines.
The CCPA’s consent requirements for minors are summarized as follows:
- 13- to 16-year-old minors:
- Before collecting or selling the personal information of kids, ages 13 to 16, organizations must have their explicit approval, often known as “opt-in” consent.
- The minors themselves must grant their approval. Organizations must create a procedure for gaining explicit consent since implicit consent is not presumed to exist.
- Children Under 13:
- For minors under the age of 13, organizations are required to obtain consent from the minor’s parent or guardian before collecting or selling their personal information.
- Organizations should implement processes to verify that the person giving consent is the parent or guardian of the minor.
Businesses should become aware of the CCPA guidelines, such as the need to update privacy policies, set up procedures for managing customer requests, train staff, and put in place suitable security measures, in order to ensure compliance. Businesses should also keep up-to-date on any CCPA modifications or revisions and periodically assess and adjust their compliance activities in accordance.
Compliance with the California Consumer Privacy Act is essential not only for legal reasons but also to win over customers’ trust and show that you care about keeping their information private. Businesses may build a solid basis for maintaining compliance with the CCPA and satisfying customer expectations in the ever-evolving world of data protection rules by adhering to the CCPA criteria and employing best practices for data privacy.
FAQ
How long must the company take to reply to my deletion request?
Businesses have 45 calendar days to reply to your request. If they let you know, they can extend that deadline by an additional 45 days, for a total of 90 days. Check the company’s privacy policy to make sure you made your request in the proper manner if you requested deletion and did not hear back within the allotted period.
How can I discover data brokers that buy and sell my personal data?
On the Attorney General’s website, you may find the Data Broker Registry. Data brokers must comply with the CCPA. Each registered data broker’s contact details and website link are available on the Data Broker Registry website.
Where can I find a company's privacy statement?
Most companies make their privacy policies available on their websites. Usually, the homepage and other pages have a link to it at the bottom. The title of the link may contain the words “Privacy” or “California Privacy Rights.”
Is cookie notice required by the CCPA?
Both the California Privacy Rights Act (CPRA) and the California Consumer Protection Act (CCPA) do not specifically call for a cookie banner. However, you may rapidly fulfill other criteria if you do have a cookie banner. Businesses must give consumers privacy notifications under the CCPA.
Can cookies be used without permission?
In accordance with the GDPR and the ePrivacy Directive, websites must request users’ permission before using cookies that are not required to access the website’s functionality. Because they gather user information for their purposes, some cookies require permission. It is against the law to gather data from users without their permission.
About the Author
SHREYAS SHASTHA DRUPADHA
Shreyas Shastha Drupadha, a Senior Business Consultant. Serving as an ISO 27001 Lead Auditor, Shreyas ensures the establishment of robust information security management systems. His expertise also encompasses GDPR, HIPAA, CCPA, and PIPEDA implementation.
HOW DO GRC TOOLS HELP IDENTIFY AND MITIGATE RISKS?
In today’s fast-paced business environment, emerging threats and risks negatively influence business operations. Threats can arise from different sources, such as cybersecurity compliance requirements, supply chain disruption, and natural disasters. Thus, the...
AI SECURITY: UNDERSTANDING THREATS AND COMPLIANCE SOLUTIONS
Artificial Intelligence continues to grow and become more relevant in workplaces. Customers widely use it to handle market products. Organizations are desperately using AI for their businesses, ensuring that the AI systems comply with the new rules and regulations. In...
HOW DOES THE NIST CYBERSECURITY FRAMEWORK FUNCTION, AND WHY IS IT IMPORTANT?
Emerging cyber threats make cybersecurity an essential consideration for organizations handling and managing data. In this regard, the NIST cybersecurity framework applies to improving your cybersecurity program. It is a set of guidelines that helps improve your...