On January 1, 2020, the California Consumer Privacy Act (CCPA) will mandate that businesses adhere to new standards. You need to understand this law and what qualifies as personal information (PI). This article will answer questions and help your business be in compliance by 2020.
What is the CCPA?
The purpose of the CCPA law is to ensure that customer PI is protected. The law also allows residents to ask businesses what PI they have for them.
Residents can choose to either agree or decline to provide PI. Companies are also prevented from selling customer PI to other businesses if every aspect of the commercial conduct takes place wholly outside California.
What Is Personal Information Protected Under CCPA?
The CCPA defines PI as all consumer identifiers. This can include names/aliases, account names, and mailing or email addresses. Also, social security, driver’s license, and passport numbers.
This law also protects customer online metrics. This includes search and browsing histories as well as email addresses. Anything that reflects consumer’s preferences, characteristics, predispositions, attitudes, intelligence, or psychological trends is protected.
Summary of the CCPA Laws
The CCPA Laws contain 4 building blocks. These sections define the terms and criteria for compliance.
First Building Block: Information
“Information” described the type of PI regulated under the CCPA. The definition is open for broad interpretation.
Objective statements describe data that is concrete. Such as a blood test result. Subjective statements describe opinions such as “a reliable borrower”.
The law doesn’t require that information is true or proven to qualify as PI. Also, consumers can’t request the correction of inaccurate information. Non-sensitive information, such as browsing history or IP addresses, also falls under the CCPA scope.
PI may be in any format or medium including graphic format or sound recordings.
The term “information” includes all communication or receipt of knowledge or intelligence. A human mind must be able to interpret the communication. Thus, machine to machine communications not understood by a human is not regulated.
Second Building Block: Required Nexus
Businesses must put an effective nexus in place to protect the consumer or household anonymity. If the purpose of collecting information is to identify consumer’s buying habits for an ad campaign, that falls under PI. If information is to determine how many web site hits “real” unidentifiable people make, it’s not PI.
If a business sells data, they are a data broker and subject to CCPA regulation. For example, a pharmacy may sell information about prescriptions written by a doctor. In this case, the doctor must receive the option to “opt-out”.
If a company tracks employee work patterns, even for the purpose of providing better service, this may be PI under CCPA.
For example, a city may use a satellite system to track buses. This may also collect data about whether drivers adhere to speed limits and itineraries. This information can reasonably identify the driver
Third Building Block: Identification
Within groups, a person is “identified” when he/she is “distinguished” from other group members. The law states that any information that directly or indirectly identifies a person or household is regulated.
Direct identifiers include names and addresses. Indirect identifiers may describe a group with unique characteristics that allow identifications. CCPA states companies must practice due diligence in protecting consumer or household PI.
Information not directly or indirectly connected to consumers or households falls outside the CCPA’s scope. CCPA may consider information anonymous if it’s “not maintained in a manner that would be considered personal information.” If a third party has the information, the business may defer responsibility.
One anonymous example is computer logs that aren’t linked to individual accounts. These IP addresses aren’t considered PI. Yet, if the business has other information that could be distinguishable, it may then be PI.
Video surveillance isn’t subject to CCPA if there’s no process to identify anyone. If the video undergoes the identification of subjects, it falls under the law from collection until deletion.
Fourth Building Block: Whose Information
CCPA’s purpose is to protect the consumer and household information. The term, “consumer” applies to resident or employee California taxpayers. The CCPA doesn’t define the term “household”.
All rights granted under the CCPA apply to consumers and not households.
How to Become CCPA Compliant
California is the first state to pass a comprehensive consumer privacy law. Other states may soon draft their own policies. This may even lead to new national privacy laws.
Here are 8 steps to help you prepare.
1. Find Out If the CCPA Applies to You
The CCPA applies to all for-profit legal organizations that collect consumer’s personal information. Also, if your company determines the process and reason for the collection of PI. The CPPA applies if you do business in California even if you are located elsewhere.
The company must also meet one of these annual criteria:
- Have a gross revenue of $25 million or more
- Gather PI for at least 50,000 consumers, households, or devices
- Half of the annual revenue must come from the sale of PI
The consumer must be a natural person living in California.
2. Map Consumer Data
If you fall under the scope of the CCPA, begin mapping the PI your business controls. The following questions may help with your map:
- Define the PI your collect or possess
- Describe how you collect PI
- Describe where and how you store PI
- List any entities you share with which you share PI
- Do you sell PI?
- Is provision of PI part of your service or used for something else?
Remember to include any third-party vendors you share PI with or from whom you obtain PI.
3. Privacy Disclosures
Be sure to update your privacy disclosures. Inform consumers of precisely what PI you collect and how the PI will be used. You must also tell consumers if a third party receives this PI as well.
4. Homepage Privacy Link
The CCPA requires companies to provide a link on their homepage to their privacy policy. The link title must be, “Do Not Sell My Information.” The link must allow consumers to opt-out of having their PI sold.
5. Process for Consumer Requests
Develop your policies for responding to consumer requests for information about their PI. You may not charge a fee for requests. You must also respond to their request within 45 days.
Consumers may request the following information:
- A copy of their PI
- Request deletion of their PI
- Find out which categories of their PI are being sold
- Consumers over 16 years of age, may request to opt-out of the sale of their PI
- Consumers age 13 to 16 may opt-in for sale of their PI
- Consumers under age 13 must have guardian consent to sell PI
If you don’t collect and follow the age rules, the law considers that you knew the consumer’s age. You could risk compliance violations.
6. System Changes
Start working with IT now to implement all the changes described.
7. Employee Education
Train all employees involved in key aspects of the business related to CCPA compliance. Document training on procedures and system updates.
8. Data Security
If there is a breach in the PI system, consumers can seek damage. They must prove that the business violated its duty to reasonable security procedures. Update appropriate security personal on policies and active monitoring systems.
Does Your Business Need CCPA Compliance?
Does your company collect customer’s personal information? Do you have a system in place to ensure that PI is protected?
Truyo provides a fully automated, end-to-end solution to your PI compliance. Our secure privacy portal allows automated identity validation. They Truyo system also communicates with data subjects and is multilingual ready.
Continue reading through our site for more information. Request a product demonstration today.
About Ale Johnson
Ale Johnson is the Marketing Manager at Truyo.