The CCPA can be as complicated as it is far-reaching. And with California’s population of nearly 40 million, compliance is a must for many international companies. So, what exactly is the CCPA all about, how does it pertain to you, and what does compliance mean for your business?
The CCPA Explained
As of Jan. 1, 2020, a new data privacy regulation came into force. As its website explains, “The California Consumer Privacy Act, or CCPA, gives consumers more control over the personal information that businesses collect about them.” The CCPA is considered law, and its regulations provide guidance on exactly how this law should be implemented.
But what really sets the CCPA apart from your everyday, run-of-the-mill statute is that it automatically applies to every California resident (yep, all 40 mil. of them), and these residents are considered “natural persons”, i.e., not corporations or business entities. This “California birthright” makes the CCPA a landmark regulation that stretches far beyond its state borders.
Who’s Protected?
Speaking of rights, the CCPA actually lays out the specific privacy rights granted to all Californians. Let’s see what they are:
These four rights paint a clear picture for any corporation whose business relies on collecting online data about its California-based customers or consumers. By simply becoming aware of these four rights, you’ve taken the first step toward CCPA compliance.
Who’s Affected?
Now we know who the CCPA is meant to protect, but there’s still the other side of the coin. You also need to know if the CCPA pertains to your business specifically. Did you know there are three main criteria that describe the types of companies affected by the CCPA?
One of the CCPA’s primary goals is to secure the state’s residents and their private data from being abused or misused by large corporations. It’s not meant to hinder or burden all businesses, however. It specifically applies to those that sell California residents’ personal information in any capacity. But just to be sure, let’s lay this out clearly.
Here it’s worth pointing out that your company isn’t required to meet all three criteria before having to worry about the CCPA. In fact, only one of the three is needed.
Who’s (Not) Excluded?
Alright, let’s say for this scenario, you’re a large-scale social media company that makes the majority of its earnings by collecting and selling your users’ personal information. Let’s also say you’re not even based in the US. Actually, your corporate headquarters are in Berlin. Does the CCPA still apply to you?
Well, it might if one of your hypothetical social media apps is not only available in California but is actively used by Californian residents. In this case, even though your company is 100% online and internationally based, you still need to abide by the CCPA, assuming your business scale is large enough to meet the criteria above.
So, you’ve established that the CCPA applies to you. Now what? It’s safe to say, you’re going to have to make some changes…
What CCPA Compliance Actually Looks Like
For starters, your website (app) will now have to include the following:
But the CCPA isn’t only meant to regulate your website. It also states that when companies receive a DSAR (learn more about DSARs here), they must provide all of the information collected over the past 12 months to the consumer – and you guessed it – free of charge.
And last but not least, CCPA-compliant businesses are prohibited from discriminating against users who opt out of the company’s data collection and sale policy.
Updates in the CPRA
By covering who the CCPA protects, which businesses it affects, and the changes it requires, we’ve gained a summarized understanding of the law.
And it’s precisely this understanding that provides a base for learning about the California Privacy Rights Act (CPRA), which, as of Jan. 1, 2023, has effectively encompassed, added on to, and replaced the CCPA. To keep you up-to-date on all changes, we’ve actually already covered the CPRA here.
Every Company’s Responsibility
Of course, both the CCPA and the CPRA are a bit more complicated than can be expressed in a single sitting. But now, at the very least, you’re armed with a better understanding of what these regulations could mean for you.
Now the final step is to actually implement the changes described above, guaranteeing that your business remains 100% compliant. Not because you’re afraid of potential fines or legal trouble. Not because it’s a trendy thing to do. But because, for you, regulatory compliance is simply the best way to you show that you truly value your customers and their well-being online.
Too Many Files With Potential California-Based Data? Then Discover It Fast with PII Tools!