The California Consumer Privacy Act (CCPA), a landmark data privacy law that grants the right to California consumers to control their personal information, took effect on January 1, 2020. Since then, businesses that fall under its scope, including national and international companies, have been obliged to comply with CCPA regulations.
Find out how CCPA compliance affects your business and how a consent management system can help by contacting Ketch today.Â
The CCPA is a comprehensive data privacy law that affords California consumers the right to control the personal information that businesses collect from them and use or sell. These include:
CCPA personal information refers to data “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular” California resident or household.
These include, but are not limited to, identifiers, commercial information, biometrics, online activity, and inferred consumer profiles.
The CCPA took effect in January 2020 after several amendments, since it was signed into law in 2018. Since the CCPA effective date, the California Attorney General's Office has introduced regulations to clarify and interpret the law.Â
In July 2020, the CCPA became officially enforceable when the California Department of Justice began to notify businesses of potential non-compliance, giving them 30 days to rectify alleged violations.
The CCPA only applies to for-profit businesses that “do business in California” and meet at least one of the following criteria: Â
All businesses that fit the bill—even those that aren’t located in California but profit from doing business with its residents—must comply with the law after its effective date.
To do this, the CCPA has regulations that guide businesses to be compliant. Generally, these oblige businesses to make their data practices transparent and to provide consumers the avenues to exercise their rights. Here are some examples:
Businesses must review and update their privacy policy to describe the rights afforded by the CCPA. It must also detail the categories of personal information that is collected from consumers, as well as how this data is stored, used, or made available to others through sale, exchange, transfer, etc.
Additionally, a compliant privacy policy should also explain how consumers can exercise their CCPA rights.
Businesses must include a “Do Not Sell My Personal Information” link or page on their website under the CCPA’s “right to opt-out.” It should be clearly placed on a conspicuous location on the website or in an application’s settings page and in the privacy policy.
Businesses aren’t allowed to sell the personal information of minors. So they should also add opt-in consent channels for consumers between thirteen to fifteen years old or for the parents of users under thirteen.
Businesses need to create CCPA-compliant practices to process consumer requests to access or delete the personal information collected from them. There should be at least two methods to submit these requests, followed by a procedure that confirms, verifies, and processes such requests promptly.
The CCPA can affect how businesses operate, especially if the products or services are sold or provided online. So businesses must train their employees about the CCPA to ensure its proper implementation.
Businesses have the responsibility of updating agreements with third parties or service providers that manage the personal information of their consumers to be CCPA-compliant.
The CCPA won’t be the last data privacy law. So even businesses that don’t fall under its scope should review the regulations and apply the changes to their current data practices to get ahead of more markets shifting into better protecting the personal information of consumers.
‍