Open in app

Sign in

Write

Sign in

What is California Consumer Privacy Act and how can I conform to it?

Over the last five years, corporations have been facing increasing pressure to protect customers’ privacy rights and to comply with regulations.

Product Analytics Insights
Countly
9 min readNov 8, 2019

--

California, home to the world’s largest technology companies, is putting CCPA into effect to protect the information security and rights of its citizens. The California Consumer Privacy Act (CCPA), which is expected to come into force on 1 January 2020, has been created for similar purposes as the EU’s General Data Protection Regulation (GDPR).

California Attorney General Xavier Becerra released to the public proposed regulations under the California Consumer Privacy Act (CCPA) last month and said:

Knowledge is power, and in the internet age knowledge is derived from data. Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private.

What’s California Consumer Privacy Act?

California Consumer Privacy Act is a new consumer privacy law that will affect all companies doing business with Californians. CCPA regulates how companies handle personal information, implements restrictions on organizations that collect, store and sell Californian people’s personal information, and gives consumers new rights to access and delete data.

The CCPA brings new rights to Californian consumers;

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
  • The right to delete personal information held by businesses and by extension, a business’s service provider.
  • The right to opt-out of the sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information.
  • Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises privacy right under CCPA.
  • The right to deny the sharing of their information.

Although the above items appear to be few, they will affect almost all industries. CCPA brings huge responsibility to companies that process, sell and use data of citizens without permission. With this law, data privacy of children is guaranteed.

Some big tech companies have already worked on this, for example, Apple (see Are you ready for Apple’s new kids section update?), but many of them will follow these companies once this law is in force and many of those companies may have to re-design their system.

Who will be affected by California Consumer Privacy Act?

CCPA applies all companies in the world if they process personal data of California residents. California resident is defined by the California laws as any person who is in California for other than a temporary or transitory purpose or is domiciled in California, but is outside the state for temporary or transitory purposes.

Companies should comply with CCPA if they;

  • Collect personal data from Californian residents
  • Exceed one of the limits of 1) At least 25M USD annual gross revenue, 2) Obtains personal information of at least 50,000 California residents, households, and /or devices per year or 3) have at least 50% of annual revenue comes from selling California residents’ personal information.

What are the penalties for non-compliance?

Large penalties may be raised for organizations that do not comply with the CCPA. Individual consumers can get $100 to $750 in the event that the company is careless and gets hacked. In addition, the CCPA calls for penalties of up to $7,500 for intentional violations but relies on California’s Attorney General to enforce this.

The amount looks small to you, doesn’t it? Let’s not forget that this amount will change according to the number of users. For example, you have an e-commerce website and 10,000 people from California who are members here. In case of any violation, you will pay a penalty for all users. This means that in case of violation of the data of 10,000 people you will pay $ 75M. This may cost your business if you have a violation.

Is CCPA the Californian version of the GDPR?

GDPR, which can be considered the most comprehensive data law in the world, came into force last year. While similar situations and concerns have been taken into account when preparing CCPA, it is not exactly the same as GPDR. Although there are differences in many ways, they may be important to you;

Applicability: While GDPR is limited to the European Union, CCPA is defined as the companies doing business in California. In other words, companies that do business globally will need to check whether CCPA applies to them in addition to GDPR.

CCPA does not cover companies where “all business conduct occurs outside of California”. Companies that process the personal information of California residents are not subject to this law unless they exceed at least one of the thresholds given above.

Concept of Personal Data: The concept of personal data is not defined in the same way in the two laws. Although both laws refer to information about a person/consumer information, the CCPA explicitly includes a detail that can reasonably be connected to a home. This means that not only the IP address of a consumer, but also the bills of the California household are personal information under CCPA. Also, biometrics, internet browsing information, products purchased or considered for purchase, geolocation data, academic and employment information and inferences that are drawn to create a profile about the individual to reflect preferences are considered as Personal Data.

User Rights: Unlike GDPR, CCPA does not define any legal grounds for processing and does not require explicit approval. However, the Act aims to improve the privacy of Californians by providing consumers with an effective means of controlling their personal information. Accordingly, CCPA places great importance on consumers’ right to know which categories of personal information are collected about themselves and gives access to a copy of the personal information collected. Although these rights appear to be similar to those found in GDPR, CCPA continues to include certain strict rules, such as providing a toll-free phone number and website address to forward information requests of customers.

Commercial Use: A provision of the CCPA that exceeds the level of protection by GDPR concerns the sharing of personal information for commercial purposes. It is forbidden to share personal information about California residents with third parties, but California citizens are also entitled to opt-out of the sale of their personal information. In order to secure this right, businesses are obliged to provide an open link on their home page called Sat Selling My Personal Information ”.

This link must also be included in the privacy policy.

How to be prepared for the California Consumer Privacy Act in 6 steps?

You need a roadmap to adapt to the CCPA with little time left before it comes into force. In addition to keeping your entire organization informed, you can proceed in 6 steps for compliance.

1. Assess the applicability of CCPA to your business

Review your customers and operations to see if your company is covered by CCPA. If you provide at least one of the following, you are covered by CCPA.

  • Collect California consumers’ personal information and have annual gross revenues in excess of $25m
  • Process the personal information of 50,000 or more California consumers, households or devices
  • Derive 50% or more of your annual revenue from selling California consumers’ personal information

2. Review your data collection process and data streams

It is important that you understand which personal information your business collects, how personal information is processed and with whom it is shared. CCPA will ask you to disclose the collected data to consumers who request it and to inform consumers about your data collection practices before receiving personal information. If you haven’t already done so, you can create system diagrams that document the life of collected data and data flow maps to find a customer’s personal information.

PS: You can benefit from the mindmap tools in this step, and mindmeister is one of the best products on this topic.

3. Maintain records of data processing activities — min 1 year

According to CCPA, a California consumer has the right to request an entity to provide certain disclosures about the processing of this consumer’s personal information in an easily usable manner within the year prior to its request. This is sometimes called “look-back“. Since consumers can start exercising their rights on January 1, 2020 and request information about an entity’s data processing activities, this technique means that one year before a possible request, businesses must keep records so that they can respond effectively.

4. Review external privacy policies and other consumer disclosures

CCPA requires certain disclosures to consumers. Reviewing existing disclosures and commitments made by you can help identify missing disclosures and commitments required under the CCPA.

5. Plan how to communicate your users & customers about CCPA compliance

Create a uniform, public message that communicates to your customers and users about your company’s position on CCPA compliance. This message should be positioned in a way that is accessible to a consumer or corporate customer when they ask for CCPA. The message should be disseminated throughout the business to ensure that employees understand how to effectively communicate the entity’s attitude to CCPA.

6. Assess third-party tools

One of the main requirements under CCPA is to give consumers the opportunity to refuse to “sell” their personal information. The standard is mandatory if the user is under 16 years of age.

The definitions of “personal information” and “sales are both extensive. In addition, if certain checks have been made with a service provider, a secure port is provided by the service providers for non-compliance. Therefore, consider all third parties with which the entity operates and agreements with such third parties, both for the parties to whom the data is transmitted and for the other parties when the entity is a data receiver.

Countly, the world’s leading self hosted product analytics platform can help you conform

If your organization collects, hosts or analyzes personal data of California residents, CCPA provisions require you to use third-party data processors, including mobile and web analytics providers, who guarantee their ability to implement the technical and organizational requirements of the CCPA.

We have worked with many companies to date and we have an extensive knowledge in this domain, especially when it comes to General Data Protection Regulation (GDPR), HIPAA and COPPA, collaborating with several parties and conforming to their standards and regulatory laws. This has enabled us to make Countly the platform of choice when it comes to data privacy and security.

Below you can read some of the unique features of Countly and how it helps secure sensitive information.

  • Self-hosting options: Countly can be installed on-premise (i.e. either in your own data center or with a trusted hosting partner), allowing for greater depth and breadth of security and control. Self-hosting means that no third party (not even Countly) ever has access to your data unless you permit it. When installed on-prem, the only stakeholder is the owner of the Countly instance, hence the control.
  • Right to be forgotten: If a California resident asks for his data to be removed, it can be completely wiped out in Countly. Countly also has a “blocking rule” plugin which blocks data from reaching Countly database using several criteria like username, email, IP address, deviceID etc.
  • Data portability: Our database schema is completely open, allowing any Countly client to transfer data from Countly to another service easily. This can be done in a few ways, e.g using MongoDB command line or via API calls.
  • Secure transmission: Data collected from devices are sent over a secure channel, and cannot be tampered — this eliminates intruders and potential man-in-the-middle attacks.
  • Extensive system audit logs: There are more than 30 different system logs collected, and this helps system administrator know what is happening inside the server. In case of an emergency or an audit, logs can be viewed, allowing organization insight into what has happened and the cause of issue.

Conclusion

Our customers care about privacy and data security. That’s why Countly gives customers data ownership and control through powerful tools that enable them to define where their data is stored, and to secure their data to be transferred or listened to.

As with GDPR and many other regulations, we continue to play a facilitating role in our customers’ compliance processes.

— Orhan Bayram, content marketing at Countly

Privacy
Consumer Privacy Act
Gdpr
Ccpa
Security

--

--

Product Analytics Insights
Countly

Written by Product Analytics Insights

7K Followers

Countly is a product analytics platform built to ensure privacy by design. Find us at https://countly.com/blog

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams