Any company or business operating in California and collecting personal information from customers or clients residing in the golden state must comply with the California Consumer Protection Act (CCPA). This also applies to companies or businesses headquartered in or operating from another state or country. Considered one of the strictest privacy laws in the United States, CCPA provides California residents with the ability to control how businesses process their personal information. Read on to learn more about what CCPA compliance requirements and the steps your business can take to be compliant with California privacy laws.
What Is the CCPA?
The California Consumer Protection Act (CCPA) provides California residents with certain legal protections and guarantees surrounding the collection, storage, access, and use of personal data gathered by a company while doing business. The CCPA’s wide range of consumer protections has several requirements for companies: to notify customers that their personal information is being gathered and stored, to inform customers of how their data will be used, to provide any customer with the choice to opt-out of data collection, or to have existing personal data in the company’s possession deleted promptly.
Who Needs to Be CCPA-Compliant?
Not all companies fall under the statute, however. For instance, non-profit organizations, HIPPA-compliant healthcare providers, and law enforcement or governmental entities are exempt. But any company or business that satisfies at least one of the three requirements noted below is advised to develop, enact, communicate, and enforce privacy policies that satisfy California’s legal requirements.
A company or business must be CCPA compliant if it has:
- Gross annual revenue over $25 million;
- Personal information of 50,000 or more consumers, households, or devices; and
- If more than half of the company’s annual revenue is earned from the sale of personal information.
What Constitutes Personal Data?
The CCPA has a very broad definition of what constitutes personal data. With the exception of small local businesses operating on cash or without any need to retain a list of customers, most businesses have possession of customer information that meets the legal standard of personal data according to the CCPA.
The CCPA covers all Personally Identifiable Information (PII) such as:
- Mailing or billing addresses
- Credit card numbers
- Income or similar information
- Internet browsing and search history (including the use of browser ‘cookies’)
- Political or religious affiliations
- Biometric data
5 Steps to Meet CCPA Compliance Requirements
1. Inventory and catalog all existing stored personal data
Be aware of all the data your organization collects, including what, where, and when data collection is performed when working with any given customer. Safely store and catalog or tag all personal data to make it secure and easily searchable. This will help facilitate the processing of any data deletion requests from your clients.
2. Review all contracts with third-party service providers
Third-party providers potentially house an organization’s data, including external vendors performing marketing, billing, or collections. Businesses and organizations should review existing contracts to determine which third parties might be collecting, processing, or retaining personal information on that organization’s behalf. After identifying contracts that may expose the company to CCPA compliance issues, the next steps would include amending or renegotiating those contracts to ensure compliance.
3. Bring existing data stores into compliance
Not all personal data is equal. It is important to understand precisely which pieces of PII fall under the CCPA, how CCPA data is to be stored, and the length of time CCPA data needs to live within your organization’s network.
4. Create “privacy-forward” policies and rights request processes
Under the CCPA, businesses are required to publicly disclose and inform consumers of the existence and nature of consumers’ rights. This means a business that could fall under the CCPA’s regulatory authority must have a written policy statement posted for customers to review. Policy statements must also include easy-to-follow opt-out procedures. For online customers, this typically takes the form of an opt-out button or icon.
5. Establish internal data governance and management procedures and personnel
Having clear data collection, storage, and accountability structures in place keeps your whole team on the same page regarding how your company expects personal data to be treated. By having organized data systems and accountability running alongside usual daily workflows, you can protect your business from unintentionally running afoul of the CCPA.
What if a Company Isn’t CCPA-compliant?
If a business is found to be in violation of the CCPA, the state of California may levy financial penalties. The penalty for unintentional violations is $2,500 per violation. If the violation is deemed to be intentional, then the penalty rises to $7,500 per violation. The risk to any business of being found to be non-compliant could easily amount to hundreds of thousands of dollars.
CCPA compliance is a necessary but time-intensive process for any business.
Build Your Digital ID Verification Process with Integrity
We hope you found this guide to CCPA compliance requirements helpful!
Integrity by Aristotle has built a powerful suite of identity verification solutions to streamline the ID verification process. ID-Direct is a web-based solution that allows you to quickly and conveniently authenticate individuals online against our database of government-issued IDs for citizens of 135 countries around the globe. Contact us today to learn how we can help your business build a safe and effective risk-based digital ID verification protocol.