The California Consumer Privacy Act (CCPA) gives consumers more control over the personally identifiable information (PII) that businesses collect about them. CCPA secures new privacy rights for California consumers, including the right to know about the PII a business collects about them, the right to delete PII collected, the right to opt-out of the sale of their PII, and the right to non-discrimination for exercising their CCPA rights.
Small and mid-sized businesses can use CCPA compliance to signal to consumers that they have a comparable level of organization and staying power as larger, established companies.
It can cost you $2,500 for each CCPA violation, or $7,500 for each intentional violation. A violation occurs each time a consumers' rights are violated by a non-compliant business.
CCPA is a critical part of the data privacy experience you create for your consumers; every privacy touchpoint should be clear and transparent. This way, consumers feel their needs are being addressed and can better understand the process.
Consumers today are more aware than ever of how much personally identifiable information they share with businesses, and they want to know companies take their privacy seriously. By giving them the opportunity to make privacy requests, your organization can build a great amount of trust and goodwill.
Create a competitive advantage for your organization by ensuring consumers feel their needs are being addressed. Get out ahead of privacy laws that will be implemented in the future.
Data privacy laws like CCPA will be the way of the future for businesses operating in most U.S. states, if not nationally. For businesses with an online presence, it’s a question of when—not if—one of these new privacy laws will apply to you. If you’re already CCPA compliant, it will require much less effort to comply with similar laws from other states down the road.
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. CCPA give consumers the right to:
The CCPA regulations provide guidance on how to implement the law. These regulations consist of six articles:
A Data Subject Access Request (DSAR) allows people to make their desire to access, change, and control the data businesses collect about them known. Your company will need to provide methods for people to register these requests and respond accordingly. Such disclosures include data covered 12 months before the request.
DSARs include people seeking to know what data your organization holds about them, your intentions for collecting and using that data, to correct their data preferences, to exercise their “right to be forgotten” (to have an organization erase their records), etc.
When it comes to the consumer right to opt out of the sale of personal information, businesses are required to provide two or more methods for submitting such requests. These methods should require minimal steps to allow consumers to opt out and be easy for them to execute.
In order to be compliant, your business should disclose your CCPA obligations front and center on your website (and wherever else you collect consumer data). Ask consumers to opt in or out of sharing some or all aspects of their personal data, including information collected by pixels, cookies, and other tracking technologies.
Additionally, you need to share all privacy information with consumers in a central place on your website. This information should include:
When responding to a DSAR, you’ll typically need to access, modify, and delete data from your backend data management systems that host personal data.
You’ll need to create internal reports that demonstrate your compliance and—if you disclose personal information to third parties—show that you can send deletion requests and ensure they’re being followed. You’ll also need to maintain updated suppression lists and demonstrate they are being applied both internally and by third parties.
The California Privacy Rights Act (CPRA) will take effect on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the GDPR; it gives consumers more control over their personal data and holds businesses more accountable for protecting the data they collect and process.
The CPRA will apply to any legal entity that 1. Does business in the State of California—regardless of where they are located—2. Collects consumers’ personal information, and 3.:
The Act also requires regulated businesses to provide CPRA training to employees dealing with consumer inquiries related to company privacy practices, as well as anyone responsible for the organization’s CPRA compliance.