Checklist to Verify Whether the California Consumer Protection Act (CCPA) Applies to Your Company

Thestrongest set of data protection rules to date ' GDPR ' came into effect acrossthe European Union on May 25, 2018. The intent was to modernize laws protectingthe private information of individuals. But what the General Data ProtectionRegulation (GDPR) really did was pave the way for the implementation of similarregulations in other parts of the world.

California Consumer Protection Act (CCPA) - Going Beyond GDPR

In 2018,Vermont enacted the first state law mandating the registration of data brokers.Another U.S. state ' Ohio ' then made headlines with the first cybersecuritysafe harbor law. Within the same timeframe, the breach notification statute inColorado was amended to include a data deletion/disposal provision, whileMassachusetts and other states also enacted breach notification statutes.

Amidst allof these developments, Governor Jerry Brown of California passed the CCPA billon 28 June, 2018. The bill seeks to improve consumer protection and privacyrights for Golden State residents.

And thismakes sense considering that the innovative California ranks first inthe U.S. in net tech developments and net tech employment jobs added. Californiais also the home of Silicon Valley and its inventions, accounting for almost 19percent of the state's overall economic growth.

With anenforcement date of January 1, 2020, the CCPA ' despite several amendments 'will possibly end up being the toughest privacy regulation in the U.S.,one-upping the GDPR. Nearly every company that does business in California orhandles its citizens' personal data will feel the impact.

Whom Does the CCPA Protect?

Anyhousehold or resident of California who can be reasonably identified, even witha unique identifier, is covered by the California Consumer Protection Act. TheCCPA allows California consumers to exercise a new set of rights.

What Does the New Law Mean for Businesses?

The California Consumer Protection Act, althoughcontroversial, presents a unique opportunity for organizations to level-up onprivacy best practices.

If you arestill unaware of the effects of the CCPA on your business, it's time to get theball rolling. Otherwise, you might inadvertently attract a hefty fine. So, ifyou're currently involved in handling personally identifiable information (PII)of California residents, you need to change how you operate.

Yourcompany must now either adhere to the new standards for consumer datacollection outlined by the regulation or prepare for the consequences if youfail to safeguard this data.

Checklist: Determine the Need for CCPA Compliance

Accordingto the CCPA, 'businesses' are for-profit entities that gather personal data fromconsumers ' in this case, residents of California ' and meet at least one ofthe following criteria:

  • Annual gross revenue exceeding $25 million
  • 50 percent or more of annual revenue comes from selling personal data
  • Annual sales, acquisitions, mergers, and purchases of personal data from 50,000 or more households, devices, and consumers for commercial purposes

If youdetermine that your business meets any of these criteria and is processingpersonal information derived from California consumers, you need to work onCCPA compliance.

Checklist Exemptions: CCPA Business Exceptions

Yourbusiness is not covered by CCPA regulations if:

  • Medicaldata is gathered by your company under the California Confidentiality ofMedical Information Act (CMIA) or the Health Insurance Portability andAccountability Act (HIPAA), especially data collected as part of a clinicaltrial and/or entities subject to CMIA or HIPAA.
  • Personaldata is gathered, analyzed, disclosed, or sold as per the California FinancialPrivacy Information Act or the Gramm-Leach-Bliley Act.
  • Informationis gathered, analyzed, disclosed, or sold as per the Driver's PrivacyProtection Act of 1994.
  • Saleof personal details takes place to and from a consumer reporting agency forgenerating a consumer report.
  • Youreceive a summons or subpoena; participate in efforts to comply with local,state, or federal law; or participate in a criminal, regulatory, or civilinvestigation.
  • Youare defending/exercising legal claims or cooperation with law enforcementagencies.

Until January 1,2021

Yourbusiness is exempt from CCPA laws until 2021 if personal details are collectedfrom employees, directors, staff, officers, owners, contractors, and jobapplicants in your company. However, right-to-know notification for employeeswill be required in some cases.

The billrequires businesses to submit reasonable verification of consumers in responseto their CCPA requests. Consumers must use their existing accounts to makeconsumer requests. Your business, however, cannot ask a consumer to create anaccount just for the sake of making the request.

Also,personal details of employees, officers, contractors, directors, and ownerscollected through business-to-business transactions or communications or duediligence will not fall under the purview of the CCPA. Vehicle manufacturersand dealers also have a right to share or retain vehicle details and ownershipinformation for recall or warranty-related repairs.

However,both of these caveats indicate amendments to the CCPA that have already passedstate legislature but have yet to be signed into law by California GovernorGavin Newsom.

Once theamendments are signed, they'll give employers time till 1 Jan 2021 to becomecompliant with CCPA, and will give the legislature more time to decide whetherthey want to keep employee records out of the purview of CCPA.

Further Amendments to the CCPA

TheCalifornia legislature has since passed three other amendments to this billwhich require Governor Newsom's signature by October 13, 2019.

Elimination of Toll-Free Numbers for Online-Only Businesses

Atpresent, your business must have two or more designated contact numbers forconsumers to make requests under CCPA law, including an online website addressand a toll-free number. This amendment seeks to change the requirement ofhaving a toll-free number if your business operates exclusively online and hasa direct relationship with the consumer. In such cases, you only have toprovide an email address for consumers through which they can submit requests.

Clarifying 'Publicly Available' Information and Personal Information

This amendmentwill remove confusing jargon from the current CCPA regulations about whatconstitutes publicly available information as well as remove languageconcerning the purpose of the data in federal records.

Registration of Data Brokers

Thisamendment requires the California Attorney General to create a publiclyavailable data broker registry online, a provision which seeks to addtransparency for consumers so they can understand how your business utilizestheir data and who is accessing it.

Concluding Remarks

We only have a few months leftbefore the CCPA comes into effect, so you should quickly determine whether ornot your organization will have to adhere to the new regulations. However, keepin mind that the positive effects of compliance with the CCPA on yourbusiness's marketing programs and efforts to generate consumer trust will bemore impactful than the associated penalties.

Download Example (1000 Sample Data) for testing

Click here to download csv

Prevent millions of $ of privacy risks. Learn how.

We take privacy seriously.  While we promise not to sell your personal data, we may send product and company updates periodically. You can opt-out or make changes to our communication updates at any time.