California has had the most extensive data protection law among the US states. The California Consumer Privacy Act (CCPA) that came into effect on January 1st, 2020 is soon going to be replaced by a new statewide data privacy bill, The California Privacy Rights Act (CPRA), expected to take effect on January 1st, 2023.
The CPRA, known as CCPA 2.0, will further expand the privacy rights of California residents by including regulations around “sensitive data’’, new disclosure requirements, and a new definition for “sharing” personal information, among others.
According to Berkeley Economic Advising and Research, the CCPA/CPRA regulations protect over $12 billion worth of personal information that is used for advertising each year in California.
It’s essential for your organization to understand CCPA and the upcoming CPRA privacy laws and make sure your website is fully compliant. Failure to do so puts you at risk of fines starting at $2,500 per violation of data breach, and up to $7,500. If you violate the rights of 1,000 users, your fine could go up to $7.5M ($7,500×1,000 users).
The CCPA and the updated CPRA act concern all businesses that collect, analyze, or store data from California residents, and fit one of these thresholds:
- -> Gross annual revenue of $25 million
- -> Buy, receive, or sell personal information of 50,000 or more consumers, households, or devices. Under the CPRA, the scope will be amended at 100,000 consumers per year
- -> Derive 50% or more of their revenue from selling consumers' personal information. Under the CPRA, the scope will include businesses that not only sell but simply share consumers’ personal information
The CPRA amendments will shift compliance from smaller companies to larger ones whose businesses rely on data collection and sharing of personal information. Organizations that handle the personal information of more than 4 million consumers will have additional obligations.
The CCPA came to effect a month after the introduction of the massive online data protection changes instated by the EU’s GDPR. It’s no surprise that many refer to the CCPA as the California version of GDPR. That however is not entirely true, as the CCPA business requirements are not as extensive as the GDPR cookie consent obligations.
CCPA vs. GDPR. What Do You Need to Know?
GDPR concerns anyone based in the EU or who collects data from EU residents. The CCPA, in turn, concerns businesses that collect data from California residents
- -> Develop privacy notices.
- -> Include a “Do Not Sell My Personal Information” link or button on your home page.
- -> Establish the ability for users to access, change, and erase their data, including at a minimum a toll-free number to be reached at.
- -> Introduce a system for user identity verification.
- -> Prepare data maps, inventories, or other records of California residents’ personal data to let them exercise their CCPA rights.
- -> Introduce a method for obtaining consent from parents of minors under 13, and direct consent from teenagers 13 to 16 years old.
The CPRA act will introduce additional requirements, modeled after GDPR rules around data protection, purpose limitation, and storage limitation.
When the CPRA takes effect in 2023, the new act will modify 5 consumer rights and will create 4 new privacy rights. These new CPRA rights will include:
- -> The right to correction. Users can request to have their PI and SPI corrected if they find a discrepancy.
- -> The right to opt-out of automated decision-making. California residents can say no to their PI and SPI being used to make automated inferences, e.g. in profiling for targeted, behavioral advertisement online.
- -> The right to know about automated decision-making. Users can request access to and knowledge about how automated decision technologies work and what their outcomes are.
- -> The right to limit the use of sensitive personal information, particularly around third-party sharing.
The modified CPRA rights will also include rules around data portability, PI deletion from the business and from third parties, and a 12-month limit to PI collection.
Is your website design CCPA compliant?
The best way to audit your digital space for compliance is to check with your digital agency or your marketing team for the following features. You may be CCPA compliant so long as:
- -> Web users can access their data upon request.
- -> Users can delete all their data upon request. Some types of data are exempt (transactions, internal analytical data, data for research).
- -> Users have the choice to prevent having their data sold by selecting a “Do Not Sell My Personal Data” option on your website.
- -> Users are told how you have used data in the past.
- -> You disclose all third parties you sell user data to, if you sell it at all.
- -> You have put in place a system of user identity verification.
- -> Users that opt for data privacy are not discriminated against and you provide them with the same services as all other users.
- -> Notice of data collection is shown every time you introduce a new purpose of information collection.
The California Privacy Rights Act is a clear signal that California is adopting stronger rules around data privacy. Even though the CPRA won’t go into full effect until January 2023, your organization and website should prepare for compliance sooner rather than later.