In this post we explain the CCPA requirements for businesses and the most important elements of the California Consumer Privacy Act.
What Businesses Must Comply with CCPA?
Unlike the EU’s General Data Protection regulation (GDPR), which applies to all businesses that collect or process the data of EU residents, CCPA only applies to for-profit businesses that meet certain criteria. Any business that meets one or more of the criteria below is required to comply with CCPA.
- Has annual revenues of more than $25 million
- Collects information on 50,000 or more California households or residents each year
- Earns 50% or more of its annual revenue from the sale of the consumer data of California residents
These requirements may be updated or expanded to include a wider range of companies. Make sure you keep up to date with any changes to CCPA if you collect or process the data of U.S consumers.
It is not just companies with a base in California that are required to comply with CCPA. Any company that does business in California or collects or processes the data of California residents is required to comply with CCPA.
What are the CCPA Consumer Rights
CCPA was introduced to give California residents greater control over their personal data.
Consumer rights under CCPA include:
- Right to know what personal data is being collected
- Right to know what personal data is held by a company
- Right to know how personal data is being used by a company
- Restriction of the use and sale of personal data of minors (under 13) without parental consent
- Restriction of the use and sale of personal data of minors (13-16) without direct consent
- Right to delete all personal data held by a company
- Right to opt-out of having personal data sold
- Right to non-discrimination, in terms of price or services, if CCPA rights are exercised
- Right to take legal action against companies for privacy violations and the failure to honor CCPA rights
- Requests from consumers must be confirmed within 10 days and honored within 45 days
Key CCPA Requirements for Businesses
- Businesses must ensure consumers are notified about the collection of their personal data before data is collected and consumers should be given the option of opting out of the collection of their data or the sale of their data. Personal data should only be collected for specific and legitimate purposes.
- Maintain procedures to respond to requests from consumers to access their data, delete their data, and opt out of the sale of their personal information. Procedures must also be developed and maintained relating to the collection and use of the personal information of minors.
- Businesses must offer consumers two methods for consumers to request data and arrange to have their data deleted. One method that is mandatory is a toll-free telephone number. If a business primarily operates online, a web-based method should be offered.
- Any member of staff that handles consumer data must be trained on the requirements of CCPA. Oversight of compliance must be delegated to an individual or team.
- Business must verify the identity of the consumer prior to providing their data or deleting data after a request is received from a consumer.
- CCPA does not go as far as GDPR in terms of data security requirements for businesses. CCPA does not stipulate the security measures that must be implemented to protect consumer data, but it does require businesses to have adequate protections in place to safeguard consumer data, including measures to prevent unauthorized data access. Bear in mind that penalties can be imposed for data breaches and consumers can take legal action over the exposure of their data if the company holding that data has been negligent. Consumer lawsuits can require payment of up to $750 per consumer in the event of a CCPA violation and it is not necessary to provide proof of harm. A large data breach could therefore prove very costly.
How TitanHQ Can Help with CCPA Compliance
TitanHQ offers three solutions that can help with CCPA compliance. SpamTitan Email Security, WebTitan DNS Filtering, and ArcTitan Email Archiving.
- SpamTitan is a powerful email security solution that provides industry leading protection against spam and the leading causes of data breaches – phishing attacks and malware infections.
- WebTitan is a DNS filtering solution that provides an additional level of protection against phishing attacks and malware. WebTitan blocks attempts by network users to access malicious websites such as those used for phishing or malware delivery, thus helping to prevent the exposure of consumer data.
- ArcTitan is an email archiving solution that helps businesses keep email data protected, meet email retention requirements, and quickly find and recover emails when dealing with customer complaints, demonstrating compliance, and for finding and deleting the data of consumers if a request to have data deleted is received.