The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. General Data Protection Regulation (GDPR) went into effect on May 25th, 2018 in all member states of the European Union. The Washington State Privacy Act and New York Privacy Act (NYPA) both failed to pass last year, but it is only a matter of time before other states implement similar laws.
We all are consumers in our daily life, whether you are a CEO of a Fortune 100 company or a sales executive. Being consumers, we need to understand what these privacy laws are trying to protect.
My view is very simple. Protect all your consumers regardless of where they are located. Protecting all your consumers with the highest privacy standards is the right thing to do. This, in turn, gives you a chance to earn the consumer’s loyalty.
You can get more information about the California Consumer Privacy Act - AB-375 Privacy: personal information: businesses on http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375.
The Privacy act clearly laid out what businesses must do to protect the rights of all the Californians they serve.
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Businesses are now required to inform the consumers about all the data they collect and provide a way for the consumer to request the removal of such data.
Does your business have to comply?
Non-Profit organizations that conduct business in California or do business with people living in California and who meet the following criteria must comply with the California Consumer Privacy Act. If any of the following are true, you have to comply.
1798.140. (c) "Business" means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
What personal information is being collected?
As a business who must comply with the California Consumer Privacy Act, you must be able to let your consumer know of all the information (Personal Information) you have or continue to collect. This step might involve working with your IT and Software development teams to modify processes and asses where the information is being stored. In the next step, you would use this assessment.
1798.100. (a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
1798.100. (b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
1798.140. (o) (1) "Personal information" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(2) "Personal information" does not include publicly available information. For these purposes, "publicly available" means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge. Information is not "publicly available" if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. "Publicly available" does not include consumer information that is deidentified or aggregate consumer information.
Right to request information and Opting out
1798.100. (c) A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.
1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
1798.130. (a) (1) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.
1798.135. (a) (1) Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
1798.130. (a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, in a form that is reasonably accessible to consumers, a business shall:
(1) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.
(2) Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business shall not require the consumer to create an account with the business in order to make a verifiable request.
(3) For purposes of subdivision (b) of Section 1798.110:
(A) To identify the consumer, associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer.
Provide Security Measures
Businesses should provide security to the way data is handled and stored. You should also take precautions with regard to data breaches and unauthorized data access.
1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
Businesses should put in place training for their employees who are handling the data requests via their website, toll-free telephone number, and/or the Contact Us form. Each request should be logged, and you should also make sure that the information is provided to the consumer in less than 45 days, free of charge.
1798.130. (a) (2) Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period.
Reading through the bill and even some of these items highlighted above, the bill might not apply to your business. This is the first version of the bill and as mentioned earlier, more states and countries will follow. There is a more comprehensive update coming to the CCPA in the coming months. If the bill does not apply now, it will apply sooner.
There are several services out there that provide cookie consent and privacy controls. These services make it easy and affordable to implement privacy controls on your websites. Looking ahead, your business should provide protections to your consumers.
Microsoft has pledged full support for CPPA, what’s more, they have said that they will enable this for everyone even though the other regions do not have a law in place.
As a brand you built trust when you take care of your consumers.
Microsoft does not sell your personal information. under the
We Do Not Sell Your Personal Information heading.
Microsoft also has a great blog post: Data privacy is about more than compliance—it’s about being a good world citizen
If your site is specific to North America, I would pick the best and the most stringent Consumer Privacy regulations and comply with them. I would also provide this ability for all of the consumers of the site.
In short, be a good citizen as a business and protect your consumers.
In the next blog post we will cover the steps a business should take to implement the California Consumer Privacy Act using an example of our client.
If you have any questions, please get in touch with me. @akshaysura13 on twitter or on Slack.