5 Key Provisions of the CCPA You Need to Know
If you do business in California or your website users are Californians, the CCPA is something you need to know about. If you don’t, your organization may be facing serious consequences.
The CCPA is designed to protect the personal information of consumers. It requires businesses to notify California consumers of what personal information is being collected, how it will be used, and whether it will be sold.
Right to Notice
The California Consumer Privacy Act (CCPA) grants California residents a right to notice at or before the point at which personal information is collected. This means that firms must notify customers about the kind of personal information they gather and how it is used.
This is frequently met by including the notification in a Privacy Policy or posting it on an easily accessible web page. The objective is to make it simple for consumers to discover and comprehend their new CCPA rights.
The CCPA applies to any for-profit legal company doing business in California and gathering personal information about California residents. This covers any company that earns 50% or more of its annual revenue from selling its customers’ personal information.
Right to Access
The CCPA protects consumers’ right to access information about them held by businesses. This means they can request a copy of a business’s personal information about them and confirm what that data is used for and who it’s shared with.
This is one of the most important rights under the CCPA because it gives consumers greater control over their personal information. It also ensures that businesses cannot discriminate against a consumer (deny goods or services, charge a higher price, or provide a lower quality) for exercising these rights.
A business must respond to a consumer’s “right to know” request, providing them with information about their personal information and its use. Typically, this will occur through a “subject access request” and can be submitted verbally or in writing.
Right to Delete
The right to delete under the CCPA is a key provision you must understand. It provides consumers with the right to request that you erase any personal information about them that you have collected from them.
However, there are numerous exceptions to this right. For example, businesses can retain consumer data if necessary for completing a transaction; preventing fraud; protecting against a threat to public safety; or preserving records.
Likewise, businesses can keep consumer data if necessary for historical research, statistical purposes, or to comply with legal obligations.
But this exemption has led to some criticisms. Some believe it will lead to the emergence of a use limitation rule instead of a data deletion rule, which could result in businesses maintaining consumer information for internal purposes.
The right to delete under the CCPA represents a significant change in how data is perceived and protected online. It will require companies to implement systems that allow for its enforcement at any time. Those companies should consider the primary objections to a right to delete, which include censorship, rewriting history, and using power to restrict free speech and address them appropriately.
Right to Portability
In addition to the right to access data, the CCPA grants customers the right to “data portability,” which requires them to readily receive and send their personal information to another business without difficulty.
While the GDPR only requires data portability in limited circumstances, such as when data is submitted to a business based on consent or a contract and is processed automatically, the CCPA extends data portability rights to all data, regardless of source.
Businesses should implement technical measures for data portability that allow this right to be fulfilled and ensure that they keep track of the transferred data during the transfer. They should also monitor the data being transferred to identify any transmission issues. This is particularly important for companies that use cloud-based storage and transfer data via third parties.
Right to Be Forgotten
If someone has information they no longer want to have available to companies, they can file a Right To Be Forgotten request. This is a key provision for children under the CCPA, GDPR, and COPPA.
The CCPA defines personal information as data that could be used to identify an individual or a household. This includes identifiers such as a real name, alias, postal address, social security number, or other identifying information. It also includes unique identifiers (such as cookies, IP addresses, or account names), biometric information, geolocation data, internet activity, sensitive personal information, and other categories of personal information.
Another important provision under the CCPA is that consumer requests must be “reasonably verified.” When a customer makes a Right To Be Forgotten or Right To Know request, you must verify their identity. This is a complex and challenging aspect of the regulation that can be difficult to comply with. Businesses must find tools to make compliance easy and ensure accuracy, timeliness, and confidence.