With 1.145 trillion megabytes created every day, data has become one of the most valuable resources in the world. And with businesses collecting and utilizing that data to power better customer experiences and marketing strategies, it only makes sense that state and federal entities are imposing legislation on how all of it is collected, used, and disclosed.
One US state in particular, California, has set a precedent for protecting consumers’ privacy with regard to the collection and sale of personal information. In this article, we highlight what you need to know about California’s consumer privacy regulations and how it’ll impact your business.
What is CCPA?
Signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) created an array of consumer privacy rights and business obligations regarding the collection and sale of personal information. When it passed, the CCPA became known as a landmark piece of consumer privacy rights legislation because it requires certain businesses to disclose the personal data they’ve collected on a consumer whenever that person requests it. The CCPA went into effect on January 1, 2020.
What is CPRA?
The California Privacy Rights Act (CPRA), also known as Proposition 24, is defined as an amendment of the CCPA and specifically states that it “amends” existing provisions of Title 1.81.5 of the California Civil Code, known as the CCPA, and adds new provisions related to the establishment of the CCPA.
As of right now, it’s unknown if Title 1.81.5 will continue to be referred to as the CCPA, or will instead be referred to as CPRA, effective January 1, 2023 and enforced beginning July 1, 2023.
(Image courtesy of Bloomberg Law)
Who needs to comply with CCPA and CPRA?
The CCPA and CPRA apply to any businesses that process the personal information of consumers in California. While technically the law applies to companies that do business in California, many out-of-state merchants still have to comply. Organizations that sell to Californians or display a website in the state must consider both the CCPA and CPRA.
The law states that those that meet at least one of the following criteria must comply:
- Have annual gross revenue of at least $25 million a year
- Annually buys, sells, receives, or shares personal information from at least 100,000 consumers, households, or devices
- Makes over 50% of gross annual revenue from selling or sharing personal information
With these criteria, however, the term “personal information” is extremely broad. So, what’s included in the definition?
- Home address
- Email address
- Date of birth
- Social security number or passport number
- Biometric data
- Geolocation and other location-specific data
- Records of purchase history
- Internet browsing history
- Digital fingerprints
- Inferences from other data that can be used to create preference and characteristic profiles
Who enforces CCPA and CPRA?
The CCPA is enforced by the California Office of the Attorney General and once in effect, the CPRA will be enforced by the new California Privacy Protection Agency (CPPA), with full investigative, enforcement, and rule-making authority. There are a few major, yet interesting, differences between the CPPA and CPRA. Under the CPRA, if an organization is approached by the agency for a violation, it will have 30 days to remedy that violation to avoid receiving a penalty. Right now, this latitude is effective until January 1, 2025.
Another interesting difference between both legislations is that the exemption of employee/HR data was not extended, thus, beginning January 1, 2023, employee/HR data will be considered consumer data and fall within the scope of CPRA.
What rights does CCPA provide to consumers?
The CCPA created six specific rights for consumers, or “a natural person who is a California resident as defined in the state’s tax regulations:”
1. The right to know (or request disclosure of) personal information collected by a business about the consumer including from whom it was collected, why it was collected, and if sold, to whom
2. The right to delete personal information collected from the consumer
3. The right to opt-out of the sale of personal information
4. The right to opt-in to the sale of personal information of consumers under the age of 16
5. The right to non-discriminatory treatment for exercising rights
6. The right to initiate a private cause of action for data breaches
With the CPRA, two additional rights were created:
7. The right to correct inaccurate personal information
8. The right to limit the use and disclosure of sensitive personal information
Why is CCPA important?
Both the CCPA and CPRA provide great benefits to consumers. They enable consumers to have control over their data in ways they previously couldn’t – and in ways some may have not thought possible.
In all, these privacy laws grant consumers in California greater transparency from companies, which now have to be upfront and honest about what information is collected and for what purpose. Additionally, personal information cannot be sold without the consent of the consumer, further protecting their right to privacy.
The CCPA and CPRA are also setting a precedent for other US states to follow suit. For example, Colorado, Connecticut, Utah, and Virginia have all enacted comprehensive consumer privacy laws in an effort to further preserve consumers’ privacy. These states even have several provisions in common with California’s CCPA, including the right to access and delete personal information as well as to opt-out of the sale of personal information.
Do CCPA and CPRA benefit businesses?
Data privacy regulations have been and will continue to be a huge topic of debate in the US and across the globe. As consumers increasingly care about and demand transparency and privacy from businesses, they’ll gravitate toward those that provide it to them. And while businesses operating in California will be CCPA compliant, if they also operate in other states, their robust privacy measures may then provide a significant competitive advantage.
And because both pieces of legislation restrict the sale of consumers’ personal information between businesses, they’ll now have to rely more on first-party data, as opposed to third-party data. This means that businesses have to collect their own data on customers. Relying on first-party data greatly benefits them because they’ll know exactly where their information comes from, thereby ensuring its accuracy and reliability.
How can Americaneagle.com help with CCPA compliance?
Here at Americaneagle.com, we have data privacy experts who can perform an audit on both your website and your third-party integrations’ current CCPA compliance level as well as provide recommendations for further compliance. Through our comprehensive audit, we review all of your database collection systems, forms, and query strings, in addition to any third-party systems that may be collecting information from your consumers. From there, we recommend a custom suite of tools to help you navigate your consumers’ data.
*The content herein is for informational purposes only and is not intended to be taken as legal advice. If you have any legal concerns, we encourage you to seek competent legal counsel for advice.