CCPA Compliance

CCPA Compliance

CCPA or California Consumers Protection Act is the newly revised personal data protection law. It was passed by the State of California, noticing the increased role of consumer’s private information in business practices and also its implications surrounding the data collection, usage, and protection procedure.
The law is said to come into effect on January 1, 2020, and the following section summarizes the importance of law, including its application and steps to compliance.

CCPA Compliance and Our Readiness:

We invest in our security team to meet CCPA obligations vigilantly.
We make sure to take consent before sending any marketing emails and offer opt-out option along with it.
We also ensure consumers who opted out of the sale of their PI are not asked for re-consent within 12 months.
Our employees are trained to handle consumer requests on the businesses pertinent privacy policies.
Our data security team continuously monitor the data for breaches and notify you if we find any.
Our team carries out a fair and transparent data collection and selling process.
If you want your data changed or deleted, we are responsible for taking relevant action immediately.
To comply with the CCPA rules, we have also updated our Privacy Notices, Policies, and Third-Party Agreements.
We guarantee that only the official and authorized person can access the individual’s personal information.
We comply with several other standards and regulations, including GDPR.
We grant every individual a right to know about the usage of their data in our company & marketing purpose.
We ensure our data inventory process are up-to-date as new consumer information is collected & deleted.
Our team implemented several protocols to ensure consumer rights.
All the consumer personal information is in an encrypted format and password-protected.
We are an esteemed member of the Direct Marketing Association and BBB Accreditation with a rating of A+.

Business is clearly subject to the CCPA only if it

  • Does business in California
  • Is profit-oriented
  • Collects consumer’s personal information (PI)
  • Defines the purposes and means of processing consumer’s PI

Besides, the CCPA applies to a business that

  • Earns annual gross revenue more than $25 million
  • Buys, receives, sells, or shares PI of 50,000 or more consumers, devices, or households for commercial reasons.
  • Gains 50% or more of its yearly revenue from selling consumer’s PI.

The CCPA does not apply to the following businesses

  • Personal information gathered, handled, sold, or disclosed per the California Financial Privacy Information Act or Gramm-Leach-Bliley Act.
  • Medical information gathered by an entity governed by the California Confidentiality of Medical Information Act (CMIA), Health Insurance Portability and Accountability Act or information collated for clinical trials.
  • The selling of PI to or from a consumer reporting agency which has to be reported in or employed to produce a consumer report.
  • Cooperation with law enforcement agencies or exercising/defending legal claims.
  • Efforts to comply with state, federal, or local law.
  • A criminal, civil, or regulatory investigation; or a summons or subpoena.
  • Data collated, treated, sold, or disclosed in accordance with the Driver’s Privacy Protection Act [DPPA] of 1994.

CCPA may look similar to GDPR, but they are not the same. They have subtle differences including, information required in privacy policies, the entities they cover, prior consent, as well as selling of personal information. If you are a GDPR compliant business, the chances are that you already meet some of the requirements of CCPA. But still, you need to comply with other policies of CCPA to call yourself CCPA compliant.

Businesses it complies

  • The GDPR is applicable to all firms that process data of EU citizens, regardless of their locality or size.
  • The CCPA is marginally narrower in its scope. It applies only to California-based businesses which have revenue more than $25 million or those whose primary business is the sale of PI.

Consumer Rights

  • The GDPR is precisely fixated on all data related to the EU consumer/citizen.
  • The CCPA considers both the consumer as well as household as identifiable entities whereas, in a few cases, it only considers data given by the consumer as opposed to data obtained or acquired from third-party vendors.

Enactment and Enforcement

  • The GDPR was accepted in April 2016 but became enforceable on May 25, 2018.
  • The California Consumers Protection Act goes in effect on January 2020, where it may get more descriptive on the way. At present, CCPA looks like it was formed as a response to the recently publicized cases of personal data misuse.

Data Encryption

  • Both GDPR and CCPA makes data encryption as an indispensable privacy protection module for businesses.
  • Under both the laws, if a company suffers from a data breach, but if it’s in an encrypted form, some of the company’s responsibilities are abridged.

Penalties

  • The GDPR commands stricter penalties for non-compliance or data breach, which can range up to 4% of the business’s annual global turnover or 20 million euros (whichever is greater).
  • Under CCPA, fines are applied per violation (penalty of a maximum of $7,500 per violation), is unsealed, and there are deceptively no authorizations for non-compliance.

The scope of PI or personal information under CCPA is broader than GDPR. It includes any information that can identify, relate to, describe, reference, or reasonably link, directly or indirectly, with a specific consumer or household.

The following enumerated categories of consumer information are included as PI:

Name, personal identifier, account name, IP address, mailing address, email address, Social Security number, passport number, and driver’s license number.
Geo-location data
Biometric information
Personal information defined by California’s records destruction law (Cal. Civ. Code § 1798.80(e)), which includes physical characteristics or description, signature, telephone number, education, employment, insurance policy number, financial account information, and employment history
Individualities of protected classifications in California or federal law
Commercial data, including personal property, products, or services acquired, considered, or other buying or consuming histories or tendencies
Internet or electronic network activity, including browsing history, search history, and consumer’s interaction with a website, application, or commercial
Audio, visual, thermal, electronic, olfactory, or related information
Professional or employment-related data
Education information which is not freely available personally identifiable data, as declared in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99)

Assumptions drew from any of the information mentioned above to create a consumer profile reflecting their characteristics, psychological trends, preferences, predispositions, attitudes, intelligence, behavior, aptitudes, and skills.

The newly revised CCPA provides consumers with new rights, including a right to be forgotten, a right to be transparent about data collection, a right to opt-out, and a right to opt-in for minors. Although the list of rights looks similar to European law, there are significant differences to follow.

  • The right to know about their personal information being collected by business: This rule requires firms to be transparent to their consumer about the personal information gathered and its usage.
  • The right to appeal the categories of information a business collects upon provable request: This rule grants a right to the consumers to request a disclosure of the categories and certain pieces of PI that a company collects, the source categories from where the data has been received, the business motive for amassing or selling the information, and the categories of third-party vendors with whom the information is shared.
  • The right to know the type of personal information collected about consumers: This rule requires businesses to disclose the PI collected about the consumer and the purposes for which it is used.
  • The right to express “NO” to the sale of PI: It allows consumers to opt-out of the sale of PI by a business and also prohibits the company from being discriminative against the consumer for exercising their right, such as charging the different price or providing a distinct quality of goods or services to the people who opts out, except if the variance is sensibly related to value offered by the consumer’s data. This rule also prohibits a company from selling the PI of a consumer below 16 years of age, unless positively approved.
  • The right to delete the personal information: This rule grants consumers with the right to request deletion of PI. It also forces businesses to delete personal data upon receiving a verified deletion request.
  • The right to equal service and price, although the consumers follow privacy rights: This authorizes businesses to propose financial incentives for the collection of PI.

+ Our Commitments
We invest in our security team to meet CCPA obligations vigilantly.
We make sure to take consent before sending any marketing emails and offer opt-out option along with it.
We also ensure consumers who opted out of the sale of their PI are not asked for re-consent within 12 months.
Our employees are trained to handle consumer requests on the businesses pertinent privacy policies.
Our data security team continuously monitor the data for breaches and notify you if we find any.
Our team carries out a fair and transparent data collection and selling process.
If you want your data changed or deleted, we are responsible for taking relevant action immediately.
To comply with the CCPA rules, we have also updated our Privacy Notices, Policies, and Third-Party Agreements.
We guarantee that only the official and authorized person can access the individual’s personal information.
We comply with several other standards and regulations, including GDPR.
We grant every individual a right to know about the usage of their data in our company & marketing purpose.
We ensure our data inventory process are up-to-date as new consumer information is collected & deleted.
Our team implemented several protocols to ensure consumer rights.
All the consumer personal information is in an encrypted format and password-protected.
We are an esteemed member of the Direct Marketing Association and BBB Accreditation with a rating of A+.
+ CCPA Applications & Exceptions

Business is clearly subject to the CCPA only if it

  • Does business in California
  • Is profit-oriented
  • Collects consumer’s personal information (PI)
  • Defines the purposes and means of processing consumer’s PI

Besides, the CCPA applies to a business that

  • Earns annual gross revenue more than $25 million
  • Buys, receives, sells, or shares PI of 50,000 or more consumers, devices, or households for commercial reasons.
  • Gains 50% or more of its yearly revenue from selling consumer’s PI.

The CCPA does not apply to the following businesses

  • Personal information gathered, handled, sold, or disclosed per the California Financial Privacy Information Act or Gramm-Leach-Bliley Act.
  • Medical information gathered by an entity governed by the California Confidentiality of Medical Information Act (CMIA), Health Insurance Portability and Accountability Act or information collated for clinical trials.
  • The selling of PI to or from a consumer reporting agency which has to be reported in or employed to produce a consumer report.
  • Cooperation with law enforcement agencies or exercising/defending legal claims.
  • Efforts to comply with state, federal, or local law.
  • A criminal, civil, or regulatory investigation; or a summons or subpoena.
  • Data collated, treated, sold, or disclosed in accordance with the Driver’s Privacy Protection Act [DPPA] of 1994.
+ GDPR vs. CCPA

CCPA may look similar to GDPR, but they are not the same. They have subtle differences including, information required in privacy policies, the entities they cover, prior consent, as well as selling of personal information. If you are a GDPR compliant business, the chances are that you already meet some of the requirements of CCPA. But still, you need to comply with other policies of CCPA to call yourself CCPA compliant.

Businesses it complies

  • The GDPR is applicable to all firms that process data of EU citizens, regardless of their locality or size.
  • The CCPA is marginally narrower in its scope. It applies only to California-based businesses which have revenue more than $25 million or those whose primary business is the sale of PI.

Consumer Rights

  • The GDPR is precisely fixated on all data related to the EU consumer/citizen.
  • The CCPA considers both the consumer as well as household as identifiable entities whereas, in a few cases, it only considers data given by the consumer as opposed to data obtained or acquired from third-party vendors.

Enactment and Enforcement

  • The GDPR was accepted in April 2016 but became enforceable on May 25, 2018.
  • The California Consumers Protection Act goes in effect on January 2020, where it may get more descriptive on the way. At present, CCPA looks like it was formed as a response to the recently publicized cases of personal data misuse.

Data Encryption

  • Both GDPR and CCPA makes data encryption as an indispensable privacy protection module for businesses.
  • Under both the laws, if a company suffers from a data breach, but if it’s in an encrypted form, some of the company’s responsibilities are abridged.

Penalties

  • The GDPR commands stricter penalties for non-compliance or data breach, which can range up to 4% of the business’s annual global turnover or 20 million euros (whichever is greater).
  • Under CCPA, fines are applied per violation (penalty of a maximum of $7,500 per violation), is unsealed, and there are deceptively no authorizations for non-compliance.
+ PI Under CCPA

The scope of PI or personal information under CCPA is broader than GDPR. It includes any information that can identify, relate to, describe, reference, or reasonably link, directly or indirectly, with a specific consumer or household.

The following enumerated categories of consumer information are included as PI:

Name, personal identifier, account name, IP address, mailing address, email address, Social Security number, passport number, and driver’s license number.
Geo-location data
Biometric information
Personal information defined by California’s records destruction law (Cal. Civ. Code § 1798.80(e)), which includes physical characteristics or description, signature, telephone number, education, employment, insurance policy number, financial account information, and employment history
Individualities of protected classifications in California or federal law
Commercial data, including personal property, products, or services acquired, considered, or other buying or consuming histories or tendencies
Internet or electronic network activity, including browsing history, search history, and consumer’s interaction with a website, application, or commercial
Audio, visual, thermal, electronic, olfactory, or related information
Professional or employment-related data
Education information which is not freely available personally identifiable data, as declared in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99)

Assumptions drew from any of the information mentioned above to create a consumer profile reflecting their characteristics, psychological trends, preferences, predispositions, attitudes, intelligence, behavior, aptitudes, and skills.

+ Consumer Rights in CCPA

The newly revised CCPA provides consumers with new rights, including a right to be forgotten, a right to be transparent about data collection, a right to opt-out, and a right to opt-in for minors. Although the list of rights looks similar to European law, there are significant differences to follow.

  • The right to know about their personal information being collected by business: This rule requires firms to be transparent to their consumer about the personal information gathered and its usage.
  • The right to appeal the categories of information a business collects upon provable request: This rule grants a right to the consumers to request a disclosure of the categories and certain pieces of PI that a company collects, the source categories from where the data has been received, the business motive for amassing or selling the information, and the categories of third-party vendors with whom the information is shared.
  • The right to know the type of personal information collected about consumers: This rule requires businesses to disclose the PI collected about the consumer and the purposes for which it is used.
  • The right to express “NO” to the sale of PI: It allows consumers to opt-out of the sale of PI by a business and also prohibits the company from being discriminative against the consumer for exercising their right, such as charging the different price or providing a distinct quality of goods or services to the people who opts out, except if the variance is sensibly related to value offered by the consumer’s data. This rule also prohibits a company from selling the PI of a consumer below 16 years of age, unless positively approved.
  • The right to delete the personal information: This rule grants consumers with the right to request deletion of PI. It also forces businesses to delete personal data upon receiving a verified deletion request.
  • The right to equal service and price, although the consumers follow privacy rights: This authorizes businesses to propose financial incentives for the collection of PI.

“Leverage our Research-backed CCPA Readiness Solution to Minimize the Risk.”

 

Have You Prepared Yourself for CCPA?

At Thomson Data, we have a robust team working around CCPA. You can email us at sales@thomsondata.com or call +1 800-385-8221 for any CCPA related questions subjected to our company. Also, for any general queries, you can visit the official website.

“We equally share our responsibilities for CCPA Obligations.”

Disclaimer: This content is not legal advice for you to use in complying with the CCPA. So, we insist you consult an attorney for authorized advice. This website provides only the background information to help you understand how Thomson Data addresses the legal points.