On January 1, 2020, the CCPA (California Consumer Privacy Act) came into effect. In recent years, information has become big business, so the issue of protecting personal information is becoming increasingly important. Mobile applications, websites, online services, and other Internet resources must comply with privacy policies. The GDPR was adopted recently, and this became a trigger for similar laws to be enacted around the world. For the United States, the CCPA is only the beginning. Nevada, Texas, New York, and Washington have already addressed or are moving toward solving the problem of personal information security. Additionally, options for solving this problem at the federal level are being considered. Even if your business does not presently fall under the jurisdiction of CCPA, you still need to implement changes to your website or mobile app in order to make them CCPA compliant as other states and countries may be subject to such rules.
Let’s find out what CCPA is and what measures must be taken to maintain the trust of your customers and avoid any trouble for your business.
CCPA Basic Information
The CCPA went into effect on January 1, 2020. This means that your business should already be prepared to comply with this law. Starting January 1, users have the right to submit requests for a variety of personal data types, but the California Attorney General’s office will only be able to respond to them from July 1, 2020.
What does CCPA provide?
CCPA offers the following rights to California residents:
The right to know which types of data are being collected
The right to know what a company is doing with their personal data, if the information is being sold to third parties and to whom
The right to prohibit the sale of their personal information
The right to request the deletion of their personal information
The right to access their personal information
The right to equal service
The right to authorize the collecting and selling of personal data for minors under 16 years old (parents or guardians for minors under 13)
What is personal information?
Most companies collect personal information (PI) like names, contact numbers, email addresses, IP addresses, identification data (ID), customer Social Security numbers, etc. However, with the advent of mobile apps and websites, companies can now track what their customers buy and what sites they visit to create a personal customer profile. These customer profiles may include biometric data, information about browsing the Internet, information about purchases or desired products, geolocation data, academic and professional information, commercial property data, etc.
Personal data may be:
Submitted by users through online forms.
Collected using special tools, services, and technologies that track such data.
Who does this apply to?
The California Consumer Privacy Act applies to the following:
Enterprises with agross income of more than $25 million
Companies with data on more than 50,000 consumers who are residents of California
Companies that receive more than 50% of their turnover by selling consumers’ (residents of California only) personal data
According to the CCPA, any business that deals with California residents must disclose and delete PI at the request of its customers (residents of California only).
The CCPA does not define what “doing business in California” means, but it seems applicable to any business that is based in California, has employees in California, and/or is associated with California real estate, sales, etc. Thus, it doesn’t matter where your business is located in the world; if it intersects with California residents, you must comply with the requirements of CCPA.
Inquiry Response Terms
When processing the request for rejection within 15 days, the sale of information is terminated and all parties to whom the information was sold in the previous 90 days are notified.
If the user requires disclosure or deletion, it is necessary to provide the information that has been collected over the past 12 months.
Notify the user within 10 days after receiving a request for disclosure or deletion with information about how the request will be processed.
Substantial responses are provided to the user within 45 days of receiving a request.
What are the penalties for non-compliance?
A fine of up to $7,500 for each violation will be imposed if the violation has not been eliminated within a month.
In the case of loss or theft of a user’s PI, you will have to pay from $100 to $750.
In addition, consumers have the right to use the norms of other laws; for example, when submitting a request and not fulfilling it within thirty days, this request may become the basis for the consumer to sue the company for a violation of privacy rights.
However, CCPA does not stipulate that companies must independently disclose violations. If the company does not receive a request from the user, no sanctions or penalties can be applied to the business.
Are there any exceptions?
Federal law may preempt CCPA. Some types of customer information are not under the control of CCPA, including the following:
Public information that is not considered PI
Identified or aggregated data that is not considered PI
Data from non-California consumers
Data used for cooperation with law enforcement
CCPA vs. GDPR
GDPR and CCPA are similar in nature but still have a number of differences. GDPR came into effect in 2016 and is slightly wider in scope. For example, it involves obtaining consent from users to collect and process PI.
Compare the main similarities and differences in the infographic below:
Thus, if your business complies with GDPR, this does not mean that you comply with the CCPA, so certain requirements will need to be taken into account:
Add a link to the “Do Not Sell My Personal Information” page.
Develop a procedure and unify all sources and channels that process information.
Update your Incident Response Policy and Terms & Conditions.
Observe and mention the non-discrimination policy
Update the language of the opt-in/opt-out button to include CCPA requirements.
Ensure that the cookie language, data collection policy, and disclaimer policy are compliant with the CCPA and GDPR.
CCPA Compliance in Practice
To be CCPA compliant, you should consider the points mentioned below.
All information that you have about your customers/users should be inventoried. This applies to all of your products, including mobile applications. You need to establish what information complies with CCPA as this will help to explain where personal data is used and why it is collected. By building a clear structure for the flow of information, you can determine which specific CCPA compliance measures you need to implement.
At the same time, it will be extremely useful to implement a system of accounting and reporting for how many citizens of California you collect/sell information about as well as the income you receive from this.
The goal of the CCPA is the safety and security of PI. By not complying with this principle, you expose your business to possible losses. Data encryption is the first step. In addition, it is important to implement an automated process of searching for, comparing, and identifying personal data, regardless of where it is stored.
Organization of storage for consent and refusal records
It is very important to keep information about consent/permission to sell data from children, residents of California, or their authorized representatives as well as about refusals and prohibitions on any PI sale. These requests must be dated to ensure future CCPA compliance.
Updating the site and mobile application
The CCPA is not the reason for a complete update of the design of the site and/or application but still requires some changes to its functionality.
A list of categories of information that you collect, how you specifically use it, and for what purposes
An explanation of how user identification is carried out
Links for users to the Do Not Sell My Personal Information page
Link to the user page
Contact information and at least two different ways to request, delete, update, and change PI. It is recommended that one of them be a toll-free phone number.
Description of all rights granted under the CCPA
Non-discriminatory policies for Californians
The CCPA requires a Do Not Sell My Personal Information page and the checkboxes that link to it. Links to this page should be placed on the main page of the site and on the main screen of the application as well as in the footer of the site. There should also be links to pages with confidential information as well as on the pages and screens where information is collected. This also applies to contact forms and subscription forms.
The opt-out pages might differ. This can be a page with an identification form and the ability to send a refusal, for example, Newmeyerdillion. This can also be a page with detailed information provided by the CCPA, for example, Atombeamtech.com or TTC.
Access to the PI
It is not enough to simply inform users of their rights; it is important to let them use their rights as well:
Implement the possibility for identification so as not to transfer the PI to the wrong users. Check out the example of CCPA compliance: TTC.
Inform users about your business/product (website address, phone number, mailing address, email address, online form, etc.).
Providing access to information is the most time-consuming part of CCPA compliance. The function of adding and deleting PIs is the best option, but do not forget about users that do not use online methods. The Appus team will help you implement such functionality for your website and mobile application.
Data Collection and Backend
The most complex processes will occur on the server side. The CCPA requires profiles for California residents, which implies a certain infrastructure for managing such information. This entails updating the databases while taking into account information about where you received the PI as well as when and how you received permission to collect/sell data. The most optimal approach will be the creation of a single centralized repository and the communication of all services and programs related to data processing.
You will need to upgrade to the latest version of WordPress or the site platform, SSL. All of these are quite serious changes and additions, so it is worth entrusting this to professionals.
In addition, when collecting data, you need to remember the special conditions of the CCPA for collecting information about children under 16 years of age. Therefore, in order to comply with the CCPA, it is necessary to implement the function of determining the age of the child, obtaining permission from the child or the legal representatives, and storing that permission information.
Mobile App Update
In the case of mobile applications, it will be slightly more difficult to comply with the CCPA since applications will need to perceive exactly what data they use and how to identify a specific user in order to provide them with their information as well as information about third-party users. Users will not only gain access to information but should also be able to manage their choices and request removal. In addition, special attention must be paid to the security of information on the device.
This sounds complicated, but the Appus team is ready to implement all the necessary changes for you to comply with the CCPA.
Even if you do not yet fall under the influence of the CCPA, now is the time to adapt your products.
What needs to be done:
Add a page/screen—Do Not Sell My Personal Information.
Add links to the opt-out page.
Notify users about cookies.
Implement on the backend side the ability to verify the identity of users requesting information.
Implement user access to their PI in at least two ways (online, using a toll-free phone, etc.).
Implement a backend data collection system for all sources.
If you still have questions, contact the Appus team, and we will be happy to answer them and help you implement a set of measures for your website or mobile application to be fully compliant with the CCPA.