Business | 11 min read
CCPA Compliance Checklist: What It Is And Steps To Follow
We live in a more transparent world where all your data can be found and used by third parties. But will it be used for good or evil?
Do you want to know that all your data in the digital world is protected enough? We bet you do. So it is time to take action and settle personal data processing issues on a government level.
Europe implemented it with the GDPR almost two years ago. And today, California state, USA, has also adopted a set of rules entitled the California Consumer Privacy Act (CCPA). Why is the CCPA required, and how does it work? Let’s explore it in our article and see all the CCPA compliance requirements.
What Is The CCPA?
The California Consumer Privacy Act, or CCPA, entered into force on 1st January 2020. It is the first major law of the USA related to personal data protection that is compared with the General Data Protection Regulation (GDPR) that acts in the EU since May 2018.
The CCPA is the law that protects consumers’ rights. It allows state residents to know what personal data are collected by companies and request to erasure all information. At the moment, the full effect of new rules isn’t clear enough since regulations are still modified.
Nevertheless, the California-based companies and companies that process personal data of the Californians already attempt to make their business compliant with the CCPA.
The CCPA determines personal data as any information that identifies a specific consumer:
Real name or pseudonym;
Mailing address, e-mails;
Driving license, ID number, social security;
Purchase of product or services/history of purchases;
Biometric data (height, weight, fingerprints);
Information about education that is not publicly available;
For instance, cookie files can also be considered as personal data, and they are subject to the CCPA. Entrepreneurs need to list the type of information they collect about users and how they plan to use it.
CCPA vs GDPR
It may seem that the GDPR is the same as the CCPA but only in different regions. But that’s not entirely true. Both regulations have some specific differences, and we will describe them in short.
The GDPR is related to all EU citizens (data subjects) while the CPPA works with the Californians (consumers) only;
The GDPR must be applied to individual data subjects only, regardless of how large business is, where it is located, etc. The CCPA applies only to businesses that work in California, process data of California residents, have annual revenue in $25,000,000 or more, and fall within some other criteria. But we will highlight them in the following section;
Requests from individuals must be fulfilled within 30 days under the GDPR. The CCPA allows a business to fulfill requests within 45 days, and even 45 days of extensions are also possible;
The GDPR becomes active when any individual information is collected or processed, and it doesn’t matter if it is sold or not. While the CCPA is explicitly focused on the sale of data;
Fines for non-compliance are much lower under the CCPA. The GDPR fines are 4% of gross annual revenue or €20,000,000, whichever is more significant. Audit results and non-compliance can be the reason for fine imposition. Whereas fines under the CCPA don’t exceed $7,500 per violation. Besides, violation takes place only when data is breached.
When Does Your Business Need To Comply With The CCPA Requirements?
In this section, we will explain to you who must comply with the CCPA law, and when it is the right time to think about compliance. Read this thoroughly to understand whether your business falls within the requirements of California privacy law.
First, you should consider the type of business. We mean whether it is a non-profit or for-profit organization. The CCPA applies only to for-profit companies. Thus, if you own a charity organization, the CCPA doesn’t apply to you.
Ok, you have a business that implies the processing of personal data of the California residents.
You should comply with the CCPA in the following cases:
You receive, process, sell/buy, or transfer data from over 50,000 California residents annually;
Your gross annual revenue exceeds $25 million;
Not less than 50% of annual revenue comes from personal data sales that belong to Californians.
Remember that your business doesn’t need to meet all three rules of the Act simultaneously. If at least one regulation falls within your business terms, you will have to make your business CCPA-compliant.
What CCPA Covers: Steps To Comply With California Data Privacy Law
Now you need to find out what rules CCPA covers and how to ensure compliance with the California privacy act. All California consumers have their rights, and our goal is to list all these rights and provide you with the steps to CCPA compliance.
Right To Notice
California-based consumers have the right to know whether their personal data will be collected and processed. And you should inform consumers of your intentions before you start the collection. For example, when users enter your website/app first, they may see a notification about data collection procedures. Or you will notify them about it at a specific stage.
Steps to comply: Pop-up banner will be a good option if you want to make sure that all users are adequately notified about their data collection. Let consumers put a tick if they give their consent to data collection. Also, when you make mailing, consider notifying users about data collection in a letter.
Right To Disclosure
Consumers have the right to know what types of personal data you collect, what specific data you already collected about the particular consumer, where you extract information from, what is the purpose of information collection, and what third parties you disclose this information to.
You should provide all the requested information within 45 days. But, as we noted above, the CCPA makes it possible to extend the deadline for 45 days if necessary.
Steps to comply: Businesses must answer access requests twice a year. Thus, your task is to be prepared for these requests and put everything in order. You need to map consumer data as well as ask third parties to do the same. Since you will need to have well-grounded explanations of how consumer information is used.
Right To Deletion
Under the CCPA, all consumers have the right to request the deletion of information. However, unlike the GDPR, the request can be declined if there are strong reasons for it. For example, you need to use consumer’s data to complete an order or use personal information for some legal issues.
Steps to comply: Add on the website or app the detailed description of steps on how users can access their personal information, and how to remove their account, erase personal data. Even if consumers aren’t going to do it, they should always have access to this info.
The Right To Opt Out Of Personal Info Sale
You may sell personal information of consumers, and if consumers want to abandon it, they have the right to opt out of this sale. The CCPA rules state that every person should have control over their personal information and all activities related to personal data processing.
The Right To Equal Services And Prices
This right means that even after opting out of information sale, consumers cannot be discriminated against and they should be provided with the same level of services. That is, all the prices mustn’t be higher for the consumer who abandoned the sale of their personal information.
Steps to comply: Make sure that there are no different levels of services for one or the other consumer. The rights of any consumer cannot be violated. Otherwise, you will be fined.
Access To Contact Information
Your consumers should have free and quick access to the contact information on your website. You should make sure that the “Contact us” page is available, and it is always visible. Consumers may use it both for requests mentioned above and concerning any other issues.
Steps to comply: You should modify your website/app and give users detailed and accessible contact info. Make sure to add a toll-free number and emails.
Provide Access To Privacy Police
We would like to discuss with you this CCPA compliance guide, in short. Considering all the rights of consumers your business should comply with, you will need to make a redesign. Thus, you will need to make sure that your website or app is CCPA-compliant, meets all requirements, let users find everything concerning their personal data security easily.
Of course, don’t forget to apply encryption methods to protect all personal and confidential data. The security level of your software must be high. And hire a reliable support team that will handle customer requests and will help you organize everything accurately.
How Can Cadabra Studio Assist You?
As for legal aspects of the CCPA compliance, you will need to deal with legal organizations that will help you prepare and avoid possible fines. They may also train your team, and it ensures that your employees keep up with all requirements.
In case you just start your business in California and you don’t have a website or mobile at all, we will be glad to build it from scratch according to your requirements and expectations. Get in touch with us to see how easy it can be to make your dream real!