Complete Guide for CCPA Compliance

By September 24, 2019 CCPA

Complete Guide for CCPA Compliance

California Consumer Privacy Act Compliance Guide

Are you a for-profit company that does business in California?

If so, look alive: there is an extremely important date looming that you need to know.

The California Consumer Privacy Act (CCPA) will go into effect on January 1st, 2020. Below, we’ll cover everything you need to know to stay on the right side of regulations.

What is the California Consume Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is the latest attempt by regulators to protect the private information of consumers from exploitation by commercial interests. It applies to businesses involved in the collection, storage or processing of data.

This includes:

Advertisers
Fintech companies
Internet providers with OTT services (e.g. AT&T, DirecTV, Verizon Oath, etc.)
Online retailers
Social media organizations

As the name suggests, it is a state regulation specific to California, but one that applies to any and every profit-making organization that benefits financially from California residents, provided that your business meets certain thresholds.

What are the CCPA Thresholds?

The CCPA will apply if your business meets any of these three thresholds below:

A business receives $25m annual revenue from transactions involving California residents.
A business receives 50% or more of its revenue from selling California residents’ data.
A business processes the data of 50,000 or more Californian individuals, households or devices.

These thresholds apply equally to parent and subsidiary companies.

Why CCPA Now?

The introduction of the CCPA is part of a wave of new privacy legislation sweeping the globe. The most well-known example is the European Union’s General Data Protection Regulation (GDPR), which was implemented on May 25th, 2018.

The CCPA has also been explicitly linked to the privacy  scandal where the personal information of 50 million Facebook users ended up in the hands of the political consultancy Cambridge Analytica. The regulation is designed to stop commercial companies from profiting off the personal information of Californians without their knowledge and consent.

Affected companies will be required to ensure Californians give explicit consent to sharing their data and to be made aware of their legal rights with regards to accessing and deleting data.

If your company does business with EU residents, you will probably be at an advantage since many of the changes needed to comply with the GDPR will also apply to CCPA compliance. However, there are some important differences between the two regulations that need to be fully understood so as to avoid any potentially costly oversights.

Comparing CCPA and GDPR

One of the main differences between the CCPA and GDPR is that the CCPA uses a broader definition of personal information. This is defined as any information that identifies, relates to, describes or is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular individual or household.

This gives the CCPA more scope to penalize companies for targeting consumers using technical data such as IP addresses, browsing history, geolocation data and online purchase records without permission. Private credentials such as Social Security Numbers and Drivers’ Licence numbers are also included, but publicly available data such as property tax records are not.

Another difference is that the GDPR has more legal weight than the privacy laws of individual EU countries which have to transpose the regulation into their own legislation. In contrast, the CCPA can be overridden by federal laws such as the Patriot Act and Bank Secrecy Act.

The fines for a breach of the GDPR are far higher than those under the CCPA. Worst case, a company can be fined either 20 million Euro or 4% of their global revenue, whichever is greater. In contrast, the fine for an intentional breach of CCPA is $7,500 per violation; unintentional violations will attract a fine of $2,500 per incident. Residents can also sue for $750 if their stolen data wasn’t encrypted or redacted.

On the other hand, the CCPA is likely to be more rigorously enforced than the GDPR which, to date, has been sparingly used.

Benefits of CCPA Compliance

The benefits of CCPA compliance go beyond simply avoiding fines. It demonstrates that your business takes privacy seriously, which will give your customers – especially those from California – peace of mind and a solid reason to stay loyal to your business.

Questions about CCPA and/or GDPR compliance and how they could affect your business? Let us know.

Shamrock’s expert team is trained on all pertinent compliances and we can create a complimentary risk assessment for your business to ensure you’re taking all the necessary steps towards compliance.

Paul Cooney

Paul Cooney

Paul Cooney is the Founder and President of Shamrock Consulting Group with over two decades of experience in the telecom industry. After finding early success selling fixed wireless for Teligent, Inc. in the late 90’s and early 2000’s, he took over AT&T struggling Los Angeles sales team and turned them into one of the best teams in the country within 6 months. In 2008, Paul left AT&T to start Shamrock, which he has grown into an award-winning industry leader capable of selling any product from any provider at the guaranteed best price.