Is your company ready for the California Consumer Privacy Act (CCPA)? If not, time is running out to prepare; it takes effect on January 1, 2020. Here’s the lowdown on the CCPA.
What is the CCPA, and who has to comply?
Tired of waiting for the U.S. federal government to take action on consumer data privacy legislation, states have started to take matters into their own hands and pass their own data privacy legislation. The CCPA is the most far-reaching example to date, especially since California is the most populous state in the U.S. and the home to a number of multinational tech companies, including Facebook and Google.
- Any for-profit entity that does business in the state of California and meets at least one of the following criteria must comply with the CCPA:
- Annual gross revenue of at least $25 million
- At least 50% of annual revenue is derived from selling personal information belonging to California residents
- Buys, sells or shares personal information from at least 50,000 California consumers, households, or devices
Any company that does business in California has to comply, regardless of whether they have a physical presence within the state.
The CCPA vs. GDPR
The CCPA is often called the “American GDPR,” but that’s not entirely accurate. Unlike the GDPR, which applies citizens throughout the European Union (EU), the CCPA applies only to California residents. The CCPA also doesn’t mandate data breach reporting.
That said, the CCPA borrows heavily from the GDPR and grants California consumers significant new data privacy rights, including:
- The right to know what information companies are collecting on them and why
- The right to prohibit companies from selling their information
- The right to know if their information will be shared with third parties, and who those third parties are
- The right to request all data a company has collected on them over the previous 12 months, including information on any third parties the data was sold to; companies will have 45 days to comply with a request
- The right to sue companies that violate their privacy — even if there was no data breach
The CCPA defines “selling” very broadly, to include “disclosing, disseminating, making available, transferring,” and more. Companies will be prohibited from hiding “do not sell” instructions in tiny print within voluminous terms of service. Under the CCPA, they’ll have to include a “clear and conspicuous” section on their website with the specific wording, “Do Not Sell My Personal Information.” If this notice is missing, it’s considered a privacy violation under which consumers can sue.
The CCPA is also very liberal about what constitutes “personal information,” defining it as anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Specific examples noted in the law include the real name, alias, geolocation data, IP address, biometric data, professional or employment data, and much more.
Once a business is notified of a CCPA violation, they’ll have 30 days to correct it. Otherwise, they can be fined up to $7,500 for each violation and be subject to class-action lawsuits.
Getting your business ready for the CCPA
An economic impact assessment prepared for the California State Attorney General by an independent research firm estimates that complying with the CCPA will cost very small businesses (fewer than 20 employees) about $50,000 upfront, while companies with more than 500 employees will pay an average of $2 million. Companies that are already GDPR-compliant have a head start and will end up paying less.
In addition to ensuring your data security is sufficient, preparing for the CCPA means shoring up your data management and governance. Here are a few tips:
- Understand what data your company is collecting, what you are using it for, and where it’s being stored. You’ll need to map the customer data lifecycle so that you can provide this information to customers upon request.
- Understand what data your third-party vendors are collecting, as you’ll be responsible for reporting this information to your customers. This means auditing all of the web applications to identify which platforms are loading across every page of your properties, how they are being loaded, and what data they are collecting. This includes third-party platforms that may be piggybacking or loading in through other third-party platforms.
- Make sure all third-party vendors that are collecting personal data are CCPA-compliant. Note that there is no such thing as “obvious” compliance. Although customer data platforms (CDAs) are designed for consent management, not all of them comply with the CCPA’s privacy mandates.
If you need help, consult a compliance professional.
Keeper is CCPA compliant, and we are committed to ensuring our business processes and products maintain compliance for our customers who must comply with the CCPA.
The Keeper Web Vault, Desktop App, Android App, iPhone/iPad App and browser extensions have been already been certified Privacy Shield compliant with the U.S. Department of Commerce’s EU-U.S. Privacy Shield program, meeting the European Commission’s Directive on Data Protection. Keeper is SOC 2 Type 2 compliant in accordance with the AICPA Service Organization Control framework. Keeper is also ISO27001 certified.
Keeper’s Data Processing Agreement (DPA)
Business customers may need to sign a Data Processing Agreement (DPA) with Keeper Security to assist in their CCPA compliance. Please request the DPA agreement from your Keeper representative or email us at firstname.lastname@example.org.