Want to ‘Play’ in California? You Need CCPA Compliance

Peter A. Liefer II | Posted: October 29th, 2020 | Updated: November 26th, 2020

Data – More valuable than oil

The fourth industrial revolution, which we are moving into rapidly, is preceded by a digital economy based fundamentally on information. 

Oil, for a long time, has been considered the most valuable resource in the world. Now technology is changing the world very fast. In this new digital world, data gathered online is now the world’s most valuable resource. 

Wherever data is coming from, one thing is certain; all information has a monetary value. Humans have become intangible beings online, merchandized, giving out personal data to a computer system embedded in web pages.

Personal data misuse is a concern that raises fundamental questions about privacy, ownership of information, and human rights. Personal data that can be compromised or stolen by cybercriminals are subject to identity theft, monetary theft, fraud, public embarrassment, and other harms.

For this problem, we can first start with a website having an SSL certificate. To protect their data and build their trust, you must have some online security level for those who visit your business website. You are not legally required to have SSL certificates, but it will surely hurt your business if not. 

Obey the law!

Personal data protection has become important enough that laws are now in place to help ensure the proper handling and use of data. At PrimeView, we have always held data security as a top priority. We are always alert to new security regulations and laws that may affect our clients. 

One of the essential legal requirements for all websites has been the ADA, Americans with Disabilities Act. While not a personal data security regulation, the act outlined features websites must have to make websites accessible to those with disabilities. 

If your company does business and targets or collects data related to people in the EU, then the law requires you to have GDPR compliance. The General Data Protection Regulation, the strictest privacy, and security law globally, went into effect on May 25, 2018. The GDPR levy’s severe fines for business violating its privacy and security standards.

California Consumer Privacy Act

A newer law took effect in January 2020 exclusively for California-based businesses or companies that do business in California. The law creates a set of obligations for companies and rights for consumers. 

The California Consumer Privacy Act (CCPA) broadly expands the RIGHTS OF CONSUMERS and requires businesses within scope to be SIGNIFICANTLY MORE TRANSPARENT about how they collect, use, and disclose personal information.

How to determine whether the CCPA applies to your business.

The CCPA applies to any company that collects or provides the personal information of California residents AND meets one or more of the following criteria: 

  1. You are a for-profit business that has $25 million or more in annual sales. 
  2. You buy, sell, or share information on 50,000 or more individuals, households, or devices.
  3. Derive more than half of your annual revenue from selling personal information.

If you meet those criteria, then we would have to say you have a profitable business!

Consumers Rights

The California Consumer Privacy Act provides “consumers” (natural persons who are California residents) four fundamental rights concerning their personal information:

  1. Consumers have the right to know:
  • What personal data your business collected about them
  • What was the source
  • For what is it being used
  • If it is being disclosed or sold, and to whom it is being disclosed or sold

This information needs to be revealed through a general privacy policy that provides more specific information upon request.

  1. The consumer has the right to “opt-out” of allowing your business to sell their personal information to third parties.
  2. The consumer has the right to tell your business to delete their personal information, with some exceptions.
  3. The consumer has the right to receive equal service and pricing from your business, even if they exercise their CCPA privacy rights.

Personal information

Under the CCPA, there is a broad scope of “personal information” defined as any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

There are 11 categories of consumer information under the CCPA:

  1. Name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number.
  2. Personal information under California’s records destruction law (Cal. Civ. Code § 1798.80(e)), including signature, physical characteristics or description, telephone number, insurance policy number, education, employment, employment history, or financial account information.
  3. Characteristics of protected classifications under California or federal law.
  4. Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  5. Biometric information.
  6. Internet or other electronic network activity, such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory, or similar information.
  9. Professional or employment-related information.
  10. Education information is not publicly available personally identifiable information, as defined in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99).
  11. Inferences drawn from any of the information listed above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Don’t be penalizedContact PrimeView today

Like Europe’s GDPR, the CCPA also provides penalties if your company exposes unencrypted personal information to theft or misuse. 

The CCPA is the most stringent privacy law in the United States. So, it requires some effort and knowledge to be compliant. 

If you have any questions on how to ensure that your website is in line with CCPQ or GDPR regulations, call PrimeView today. We can provide a CCPA assessment and develop a plan to be compliant.