In the digitally driven world we live in, many individuals feel like they have less and less control over their personal data. When most of us log in to a new device or install an app, the first thing we see is a flurry of notifications asking for permissions to our data. In the last few years, consumer pushback against business data collection has increased in response to several large organizational data breaches, resulting in legislative changes.
‍

Recently, California's California Consumer Privacy Act (CCPA) went into effect to help safeguard consumer rights and place regulations on businesses for how they address customer data and online privacy. Understanding this new piece of legislation is critical for any business that operates or has customers in California. 

What is the California Consumer Privacy Act?

The California Consumer Privacy Act was signed on June 28, 2018 by Governer Brown, but was enforced starting July 2020. This groundbreaking law is the first of its kind in the U.S to directly legislate consumer privacy rights online. Under the CCPA guidelines, businesses must respect certain clearly outlined consumer rights to avoid regulatory fines or potential lawsuits.  

Which Businesses need to follow CCPA guidelines?

The CCPA applies to for-profit businesses that do business in California and meet any of the following criteria:

• Have a gross annual revenue of over $25 million;
• Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
• Derive 50% or more of their annual revenue from selling California residents’ personal information.
  

Will I be affected if my business is outside of California?

Yes. The CCPA guidelines state that if you do business with customers in the state of California, you must comply.

Consumer Rights Protected Under CCPA

If your business serves California residents, you must comply with the following:

1. The right to know if a business is collecting their personal information.
2. The right to know how a business uses and shares the information it collects.
3. The right to delete personal information collected from them (with some exceptions);
4. The right to opt-out of the sale of their personal information
5. The right to non-discrimination for exercising their CCPA rights.
   

Examples

Dylan added several golf clubs to his online shopping cart over the last few weeks. Dicks Sporting Goods, the seller used cart behavior and clickthrough data to infer that Dylan may be interested in other golf equipment and categorized him as a “ready to buy” customer for marketing follow-up. Under the CCPA, Dicks Sporting Goods must fulfill Dylan’s request to access his consumer profile and see how the data was collected.

How can businesses notify customer about data collection?

Businesses may notify consumers by including a disclaimer in the footer or at the bottom of your website or using a pop-up alert.

How can businesses notify customers about data deletion?

Under the CCPA, businesses are given 45 days to respond to any customer who requests to see their data profile or have their information deleted.  The CCPA also requires that businesses have a part of their website where customers can file any data-related requests.

Exceptions

Under the CCPA, there are a handful of exceptions to the right to delete that a business can claim. Deletion is not required if:

• The business cannot verify your request
• If the personal information is certain medical information, consumer credit reporting information, social security numbers, account passwords, or other types of information exempt from the CCPA
• If the requested information is essential for certain business security practices
• Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims
  

How is the CCPA Enforced?

Enforcement of the CCPA currently falls in the jurisdiction of the California Attorney General. Penalties for violating the CCPA may include hefty fines of up to $7500 per violation or up to $750 per customer affected. Under the CCPA, consumers are also encouraged to take individual legal action if they think that their consumer rights are being deliberately violated.

How Cyber Liability Insurance can help protect your business?

Cyber Liability Insurance enables your company to protect against first- and third-party cyber-attacks. This includes breach notification, legal defense costs, and system disruption in the event of a cyber-attack. A good Cyber Liability policy covers virtually every aspect of total cyber exposure. You can purchase a Cyber Liability policy online from Zeguro and adjust limits with them to suit your needs. Once it binds, it stays in effect for the rest of the policy term.

Start your Quote Today  

Update

In light of California’s Consumer Privacy Act going into effect, other states have followed suit. A few days ago, Virginia passed its own comprehensive privacy law called the CDPA (Customer Data Protection Act), joining California as the second state to do so. The act draws inspiration from both the California Consumer Privacy Act (CCPA) and a new proposed Privacy Act in Washington. The act has very similar provisions and penalties to the CCPA and primarily applies to companies and individuals conducting business within the Commonwealth of Virginia or those who manufacture or provide goods or services to Virginia residents. 

1. control, process or handle the personal data of at least 100,000 Virginia consumers during a calendar year.
2. control or process more than 250,000 personal data of consumers. Personal data sales make up over 50% of their gross revenue.

The passage of both the CCPA and CDPA reflects changing sentiment surrounding consumer privacy and data protection. Business owners can expect other states around the U.S to start considering similar legislation.