What is CCPA?
The California Consumer Privacy Act addresses the personal information data and privacy rights for the residents of the California state. The much-debated California Consumer Privacy Act (CCPA) has officially come into action from January 1, 2020. The CCPA will have wide-reaching implications for many companies. Under CCPA, any California resident can take action against a company regarding their privacy and data security rights.
The Act focuses on user data collected by companies and requires that the companies provide transparent information on how much user data is used and monetized. The companies should notify their users regarding how it will use, share and sell their personal data and if any of the users wish, they can opt-out from such sharing of their personal information. The Act also gives consumers the power to sue any such organization which violates the data privacy guidelines mentioned in the Act.
Although CCPA is enforced by the California Attorney General, it cannot be enforced until six months from the date of its official enactment, i.e. July 1, 2020.
Which companies are affected by CCPA?
Any company that serves California residents and has an annual gross revenue of at least $25 million must comply with the Act. Also, companies (of any size) that have personal data of at least 50000 people or companies that collect at least half of their revenues from the sale of personal data will have to comply with the law. The law also applies to all those companies that use personal information of California residents, even if such companies are not based in California or in the United States.
Although many companies are expected to be affected by the CCPA, there are various exclusions viz. insurance companies, support organizations, and agents since they already comply with similar regulations under different Acts. Also, the directors should know the CCPA inside-out to assess the risks related to the act and how it will affect their organization.
How consumers are affected by CCPA and what are their rights?
- Consumers can formally request a copy of their data from any organization at any time.
- These requests can be made only twice a year, with a look-back period of the last 12 months only.
- On receiving a formal request, the company has to respond within 45 days of receipt of such a request. In some cases, a maximum of 90 days is allowed.
- If a user formally requests, companies will have to comply and delete the user’s data.
- After receiving such a request, the company cannot deny to delete such data or change the price or level of their service.
- If the above-stated rules are violated, California authorities have the power to penalize such companies.
What should the directors do to implement the rules under the CCPA?
- The board should determine and decide how the personal information is being stored in their databases, how it is used, where is it shared and update the company’s privacy policies accordingly.
- The board has to consider the risks that come with CCPA and the outcomes when these rules are violated.
- The directors should regulate the processes and operations to minimize the impact on customers and business partners.
- Finally, the directors should continuously keep a check on the developments on the CCPA as & when they become available.