Correcting these misconceptions could save you thousands in fees
What is CCPA?
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt out of the sale or sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
1. “We will be compliant once we update our privacy policies.”
2. “CCPA is IT’s problem.”
While technology is vital to CCPA compliance, it is not the only component of CCPA compliance. As mentioned above, many employees often create workarounds for their personal workflows that compromise customer information. These workflows are not an IT problem, these are an Operations problem, and so plugging these holes requires participation from Operations. Many customers also contact companies through their helpdesk and social media and provide personal information through these channels; CCPA requires companies to have processes in place to delete these sources of customer information as well. All of the holes in your company must be plugged in order to be CCPA compliant.
3. “We are already adding an Opt Out button on our privacy page.”
There are two misconceptions at play here. The first is that an opt-out button on the privacy page is adequate. It is not. The opt-out button must be on the home page for CCPA compliance. The second is the efficacy of the opt-out button:
- Does the act of “opting out” trigger information removal from multiple systems?
- Does it communicate this request to 3rd party affiliates?
- Does this produce a report about what steps were taken to remove the information & send it back to the requesting party?
To be compliant with CCPA, the opt-out button on your home page must do all these things.
4. “We did this for GDPR two years ago, so we are good!”
While GDPR and CCPA were both passed for similar political reasons and have many similar requirements, they are not the same. Relying on your GDPR compliance for your CCPA compliance will most likely result in your company not being CCPA compliant at all.
DLP Piper deep dives into the differences:
In some respects, however, the CCPA does not go as far as GDPR. Most crucially, the CCPA does not require businesses to have a “legal basis” (a justification set forth in GDPR) for the collection and use of personal information. The CCPA also does not restrict the transfer of personal information outside the US, or require that businesses appoint a data protection officer and conduct impact assessments. In addition, California residents’ right to access personal information is limited to data collected in the past 12 months. CCPA also places fewer obligations on service providers.
In other respects, the CCPA differs or goes beyond the scope of GDPR:
- The CCPA’s definition of personal information specifically includes household information.
- Under GDPR, a business does not necessarily need the individual’s consent to collect and use data, in which case the individual does not have a general opt-out right. But CCPA grants individuals an absolute right to opt out of the sale of their personal information and obligates businesses to add a “Do Not Sell My Personal Information” link on websites and mobile apps.
- Although both the CCPA and GDPR prescribe provisions that must be included in contracts with service providers, the requirements differ, and GDPR data processing agreements will likely not meet CCPA requirements.
- Finally, the GDPR and CCPA take different approaches to children’s privacy rights. GDPR requires that parents provide consent for the processing of their children’s personal information in an online environment — but only where the legal basis for processing is consent. Children are defined as under 16, although member states can lower the age to 13. The CCPA, in contrast, addresses the sale of children’s information — not all processing — and requires that businesses first obtain opt-in consent. Parents must provide consent for kids under 13; teens 13–15 can provide their own consent.