What is California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act is a law meant to give Californians enhanced rights over the use and sale of their personal information. Once a company collects your personal data, you have these rights:
Access: you can access the data collected and ask how they will use the data.
Deletion: to request they delete your data, unless it is vital for security purposes, legal compliance, or providing an essential service.
Opt-out of “sales”: gives you the right to opt-out of having your data being “sold” to a third party.
When did CCPA go into effect?
January 1, 2020, but there was a six-month grace period on enforcement for brands up to July 1, 2020.
Who is impacted by CCPA?
Any brand categorized as “business,” “service provider,” or “third-party” doing business in California and sells, buys, or collects personal information from online consumers.
How do brands and publishers know their category?
Business: is a for-profit entity conducting significant business in California collecting consumers’ personal information, with more than $25 million gross revenue annually; or buys, sells, shares, or receives personal information of more than 50,000 consumers, devices, or households for commercial purposes; or derives more than 50% of its annual revenue from personal information sales.
Service Provider: are entities that process information on behalf of other businesses for profit.
Third-Party: is neither a business nor service provider collecting consumers’ personal information.
What additional rights will California residents get under the CCPA?
If you are in California, you can request a business to disclose:
Categories and specific pieces of your personal information it has collected.
The commercial purpose for selling or collecting your personal information.
Third-parties the business shares your personal information.
Additionally, you can request collected personal information be deleted, subject to certain exceptions. Alternatively, you can opt-out of selling your personal information.
Businesses must provide an accessible and cost-free way of exercising these rights and respond to such requests within 45 days of receipt. The timings for deleting and ‘Do-Not-Sell’ requests are hazy.
Does it mean our company has to amend its online privacy policy?
Yes. The bare minimum is providing a California-specific form of privacy notice incorporating substantive elements linked to disclosures as provided by the CCPA. In short, online privacy policy or any California-specific notice must include information such as:
Description of consumers’ rights.
The categories of personal information sold or disclosed for business purposes in the preceding 12 months.
A description of any financial incentives for providing data.
What are the potential penalties for violations of the CCPA?
Each violation can attract up to $2,500 in civil penalties, while failure to make good a 30-day opportunity to cure and each intentional violation after notice may attract a $7,500 fine.
Will this negatively impact digital advertising efforts?
It’s more nuanced than that. Sure, businesses use this personal data collection to gauge consumers’ shopping habits. Without this data, businesses cannot offer targeted advertising, reducing their chances of engaging and converting.
Ultimately, CCPA can improve the advertising ecosystem for both the consumer and business. Brands will know which consumers are open to personalized advertising or offers while enhancing transparency and rights in using and selling consumers’ personal information.
What can a business do/not do with a user’s personal information who has opted out of sales?
It means the company can still use the information to complete that transaction and pay the ad commission, but not beyond that transaction.
What are the impacts of non-compliance?
That will depend on the severity of the infraction:
Private enforcement: you can file a lawsuit in the event of a data breach to recover up to $750 per actual incident or damage, whichever is greater.
Governmental enforcement: The State’s AG can file a civil case, giving businesses up to 30 days to fix non-compliance or they will be liable for up to $7,500 in fines per violation.
What is required to fulfill the CCPA requirements?
Brands, publishers, and advertisers will need to provide explicit notice and an opportunity to opt out to consumers before collecting and sharing consumer data.
What is required for publishers to fulfill the CCPA requirements?
Publishers must disclose privacy rights through a link on their site. Alternatively, businesses can block traffic via the IP addresses of Californians.
Publishers should implement a Consent Management Platform that collects and passes consumer’ opt-out requests and consent information to partners.
Publishers can include a ‘Your Privacy Rights’ link, leading users to a page disclosing what personal information the company may collect.
The effect of the CCPA on brands based outside the US?
Any brand that buys, sells, receives, or shares personal information of at least fifty thousand California residents annually, must comply with CCPA regardless of location.
Is there a chance of this privacy policy advancing to a federal level?
Many states and other countries worldwide have adopted similar privacy regulations, so there is a good chance it could go federal.