What is CCPA and why should it matter to you?
Data has become one of the most valuable resources on the planet, so it's only right that governments are imposing regulations on how this data is processed, used, and disclosed by companies everywhere. The California Consumer Privacy Act (CCPA) is the next regulation we're all getting ready for.
But there are currently 80 countries that have passed privacy laws specific to personal data.
It's been over two years since The Economist published their "The world’s most valuable resource is no longer oil, but data" piece. Since then, there have been plenty of people who have disagreed with this notion (just for the sake of disagreeing sometimes).
If nothing else, David Parkins' editorial cartoon featured inside the piece certainly made its rounds around the internet:
After all, who doesn't love a dark and satirical cartoon illustration of the data-slurping tech giants as we know them?
But holding conglomerates accountable is just one part of what the CCPA stands for.
Such dominance has prompted calls for the tech giants to be broken up, as Standard Oil was in the early 20th century. This newspaper has argued against such drastic action in the past. Size alone is not a crime.
— The Economist, May 6, 2017
Some rules are definitely not meant to be broken
As consumers and decent citizens of the world, we can all appreciate having laws enacted to protect the privacy of our personal data.
And as business owners and working professionals, we definitely want to stay on the right side of the law. After all, growing your business and respecting data privacy shouldn't be mutually exclusive.
That’s why both the General Data Protection Regulation (GDPR) and CCPA aim to pretty much do the same:
- guarantee protection for individuals regarding their personal data, and
- apply it to businesses that collect, use, or share consumer data—whether the information is obtained online or offline.
This includes your visitors or contractors you do business with. Who counts as a visitor? The visitor types can vary from company to company.
So let's dig a bit deeper into the business implications of CCPA, and the steps you can take to remain compliant.
What is CCPA, exactly?
The California Consumer Privacy Act (CCPA) "enhances" privacy rights and consumer protections for California residents. It's a California state law that was actually passed in June 2018 but doesn't go into effect until New Year's Day, 2020.
So no matter how groggy we wake up after celebrating the night before, CCPA is definitely happening.
On the surface, there seem to be four main goals to the Act:
- Own your personal information
- Control your personal information
- Secure your personal information
- Hold big corporations accountable
There is some good news to all this
Before we go any further, let's get some good news out of the way:
Even though the California Consumer Privacy Act has been likened to GDPR, the two are not interchangeable. Organizations that are already on top of their GDPR compliance, will have a much easier time being CCPA-compliant.
So if you've been following our steps to compliance when it comes to GDPR and visitor management, then you've jumped through most of the CCPA hoops already.
However. the terms GDPR and CCPA are not interchangeable...
So, let's define exactly how and where CCPA may, or may not, affect your business.
Which companies are affected by the CCPA?
The CCPA applies to any "for-profit" organizations that meet any of the following criteria:
- Collect consumers’ personal information (this may or may not include external visitors to your business)
- Do business in California, including E-commerce
- Meet any of the following thresholds:
- Have annual gross revenue of $25 million or more
- Collect personal data for 50,000 or more consumers, devices, or households
- Derive 50% of their annual revenues from selling consumers’ personal information
"Doing business in California”
So get this: The act of "doing business in California" isn't clearly defined in the CCPA.
It's still unclear as to many points:
- whether this regulation applies to a business established outside of California,
- whether it collects or sells California consumers personal information while conducting business in California and meet one of the other thresholds
However, under tax law, such companies have been found to meet these criteria based on their business or commercial ties to California.
As a result, thousands of businesses—including the ones not physically located in the state of California—could find themselves subject to the CCPA. This is similar in manner to those businesses not based in EU countries yet are still subject to the GDPR.
Note: There is a follow-up to this blog where we compare closely the differences between GDPR and CCPA.
What rights do California residents have under the CCPA?
According to the CCPA, California residents have the following rights:
- The right to be informed: businesses must give sufficient notice of the following:
- the categories of personal information to be collected
- the purposes for which the collected personal information is used
- if a business sells personal information about the consumer to third parties, the rights of the consumers and the methods to exercise such rights must be given to consumers
A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer.— CCPA, Section 1798.100. (a)
The CCPA also states that businesses must inform customers before or at the point of collection.
- The right to equal service and price - business cannot discriminate against consumers who exercise any of their CCPA rights
- The right to deletion - a consumer can request that a company deletes all the personal information it has collected about them. The scope of this right also impacts third parties to whom that data has been sold/passed on. (
- The right to opt-out - a consumer can ask a company to cease the processing and selling of their data. Furthermore, consumers also have the right to opt-out from the subsequent selling of their personal information by a third party that received their personal information.
- The right to access - a consumer has the right to request access - free of charge - to the data that a company holds about them. In this case, the organization must indicate:
- the categories of personal information collected/sold
- the categories of sources from which the personal information was collected
- the business or commercial purpose for collecting or selling personal information
- the categories of third parties with whom they share personal information
Some more good news specific to CCPA and your visitor management
If all these rights listed above are making you nervous, then you can be rest assured that the right visitor management software can help.
Going digital with a cloud-based visitor management system like Proxyclick's can help you manage and maintain your business's visitor data for CCPA audit purposes (similar to how we already do this for companies needing to stay in line with GDPR's level of consent, data minimization, and right to be forgotten).
What qualifies as "personal information?"
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Therefore, according to CCPA, “personal information” includes categories of information such as:
- identifiers like a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- biometric information;
- internet or other electronic network activity information, that includes browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
- geolocation data;
- audio, electronic, visual, thermal, olfactory, or similar information;
- professional or employment-related information;
- education information provided that it is not publicly available; and
- inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, etc.
How can your business comply with the CCPA requirements?
Once you determine if the CCPA applies to your organization, you can move on to the next step—mapping the customer data you collect.
Doing that requires answering a number of questions:
- What personal data is currently collected?
- What are the methods used for data collection?
- Where and how is this data stored? Is this data shared? If so, with whom?
- Which is the main purpose of the collection of data?
There are 9 points that should be included in your company's DDP.
- A description of the new rights afforded California residents.
- A description of the methods for submitting personal information or erasure request.
- A link to an opt-out page on the website.
- A list of all the categories of personal information collected in the past 12 months.
- The sources of each category of personal information.
- All of the purposes of using each category of collected personal information.
- A list of the categories of personal information sold in the past 12 months.
- A list of the categories of personal information disclosed for a business purpose in the past 12 months.
What happens if your company fails to comply with CCPA?
Any violation of the CCPA is assessed by the California Attorney General.
Intentional violations could result in a penalty of $7,500 per violation, and in the case of non-intentional violations, it could cost a business $2,500 for each violation of the CCPA requirements.
Additionally, CCPA provides consumers with a cause of action to seek damages for violation of privacy laws if their personal information was accessed illegally, stolen, or disclosed as a result of data breaches.
Statutory damages for such cases would be no less than $100 and as much as $750 per consumer per incident.
CCPA is just the tip of the iceberg
Many states are following suit, and have started to create their own data privacy regulations.
For example, Massachusetts, Maryland, Washington, D.C, and other U.S. states are already deliberating on passing privacy and data protection laws of their own.
Transparency and trust are always required when data privacy and protection are involved. Now, more than ever, it's time to take the steps necessary to protect the privacy of your customers and visitors alike.
Our team will be following the CCPA's movements, so stay tuned for more content!
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.