CCPA affects consumer data in two ways:
- Establishes and protects data privacy rights for California residents
- Enforces regulations on businesses pertaining to the housing, sharing, and sale of personally identifiable information (PII)
The California data privacy law goes into effect on January 1st, 2020. However, businesses have been given a grace period of 6 months to comply with the new legislature.
The CCPA places new obligations on organizations that collect and sell personally identifiable information (PII) of California consumers.
The CCPA is enforceable against businesses that meet the following criteria:
- Annual gross revenue of over $25 million.
- It engages in buying/selling/receiving data of at least 50,000 consumers, households, or devices.
- It generates at least 50% of its annual revenue from selling consumers’ personal information.
Regardless of whether your organization is B2B or B2C, if you engage in commercial data activities with any California residents, you must comply or face the penalties.
To comply with the California Consumer Protection Act, companies need to do the following:
- Provide 2 methods for a person to request access to their PII, have it deleted, and opt-out of its sale: a toll-free telephone number; and a web address to the designated CCPA page
- Respond to verified consumer requests and opt-out requests within 45 days
- Ensure you can find all instances of that data across all systems (e.g. CRM, marketing automation platform, ERP, data lakes, etc)
- Provide a portable report of an individual’s PII which may be delivered by mail or electronically
- Include a “Do Not Sell My Personal Information” link on your company’s website homepage
Fines for companies are $2,500 per violation (and $7,500 for willful violations). Companies are also open to lawsuits from California residents, should the offending company not follow protocol. Fines for individuals who partake in the sale of data are between $100 and $750 per violation.
In addition to the myriad of regulations, business must follow with the “look back” requirement. Under the CCPA, the PII in a portable report must cover the 12-month period preceding the date upon which the covered business receives a verifiable consumer request.
If you are a California resident (as shown officially in tax documentation), you are now able to access, delete, and opt-out of the sale of your personally identifiable information (PII).