CCPA（California Consumer Privacy Act）
The California Consumer Privacy Act (CCPA), a consumer privacy law, is about to go into effect in California. The law applies not only to companies with physical stores in California, but also to e-commerce (EC) with customers in the state.
This article explains what the CCPA is and how you need to prepare as an EC marketer to avoid violating it.
Disclaimer： This blog post is not legal advice for complying with US data privacy laws like CCPA. It provides background information for a better understanding of CCPA. If you want advice on interpreting the information covered in the article or its accuracy, please consult an attorney, as this differs from the legal advice an attorney gives depending on your specific situation. Please do not rely on this article as legal advice or as a recommendation for a particular legal interpretation.
What kind of law is CCPA?
CCPA is a law that protects the personal information and data privacy rights of consumers living in California. Established in 2018 and effective starting January 2020, it was submitted to the California Department of Administrative Law in June 2020 and is about to come into force.
The CCPA is the most broadly applicable of the various privacy laws that have been in place in the US for some time.
What are the requirements for companies covered by CCPA?
CCPA applies to any company operating in California that meets any of the following conditions:
1. Has more than $25 million in annual revenue.
2. Obtains personal information from more than 50,000 individual consumers or households or devices per year.
3. More than 50% of annual revenue comes from selling personal information.
Companies that obtain personal information from consumers living in California are subject to the law, even if their physical stores or branches are not located in California. If you are using consumer’s personal information to run a campaign or sell personal information to a third party, you must be careful not to violate the CCPA.
Consumer rights protected by CCPA
Personal information protected by CCPA is data that can directly or indirectly identify or relate to and identify Californians and their households. Under CCPA, Californians are guaranteed the following rights:
1. Right to know.
Consumers can find out what data companies are collecting about themselves and how they are using and selling it.
2. Right to erase.
Consumers can ask companies to erase their personal information. However, there are exceptions to this right of erasure, such as when personal information is required to fulfill a contract or complete a transaction.
3. Right to opt-out.
Consumers can request companies stop selling personal information to third parties (opt-out). Companies cannot require consumers to sign a contract that limits the privacy rights guaranteed under CCPA.
Response requests required from companies
Companies to which CCAP applies need to have in place a system to ensure that these rights are guaranteed. Specifically, the following correspondences are required:
1. Disclosure of rights and practices.
Companies have the obligation to inform consumers about their rights. They must also explain to consumers their practices of how the personal information collected will be used.
2. Comply with consumer information requests.
If a consumer requests disclosure or erasure of personal information, you must comply. This applies to personal information collected up to 12 months before the date of the request.
3. Simplify process to a make requests related to personal information.
You need to make it easy for consumers to make requests related to personal information, such as by providing free phone lines and links on websites. In addition, companies must respond within 45 days of receiving a request from consumers related to personal information.
4. Erase personal information.
When requested by a consumer, that person’s information must be erased. The exception to this is when that information is needed to complete a transaction or for security purposes.
5. Comply with opt-out requests.
Violation of the CCPA by failing to comply with these obligations could result in a fine of $2,500 per incident (per consumer affected by the violation) by the state of California. For willful violations, it is $7,500 per incident.
If you want to learn more, you can download additional information here.
Ethical use of consumer’s personal information has great benefits not only for companies but also for consumers. Stay up-to-date and compliant with the CCPA so you can continue to utilize consumer data in the future.