CCPA, California Consumer Privacy Act passed in late June 2018. AB 375, that could have more reverberations on the US companies as compared to EU’s General Data Protection Regulation (GDPR). The broader vision of CCPA has spread the premises of data privacy and its perspectives. CCPA constitutes regulations that intersect with the GDPR’s onerous requirements. Its major focus is on security challenges and dynamic measures that should ultimately be taken to secure the private data.
CCPA 2018 has introduced reforms that cause a major change in data protection and privacy rights for the IT industry and companies dealing with customer data. It is mandatory for the businesses to disclose the data they collect from users, the motive behind collecting it, the nature of data, and norms to process that data. According to California law, the companies will be sued if they violate the guidelines even if there is no data breach.
Besides this, the companies who comply with CCPA regulations add value top the business profile. The business credibility increases as the compliance with local regulators mean that the company has adopted all security and precautionary measures against data breaches and internet privacy, which contributes value to the company.
Highlights of CCPA:
AB 375 demonstrates the requirements that can contribute the security and minimizing the risks of data breaches. This act imposes penalties as harsh fines and imprisonment for those who fail to comply with the regulations if they apply to them. Under AB 375, the data which is defined to the private information used and operate within an organization and demands steps that should be taken to secure that data. The company which already comply with GDPR does not need to comply with AB 375, reason being, GDPR checklist covers more or less the same goal of protecting user data to avoid security lapses.
Consent management before using Customer data:
Tech companies are asked to take consent from consumers before taking personal information. Additionally, before selling that data to the third party, consent should be taken from consumers while telling them where their data will be used, for which purpose and for how long. This consent should be freely given with affirmative and obvious statements. Pre-ticks in the checkboxes are not allowed and consumers should do it manually after reading the terms and conditions.
Consumer data and privacy rights:
Consumers can ask the company to demonstrate where their data is used and for which purpose, they can ask the data history and even methods that are used for the data collection and processing. Consumer data is an asset for companies that need to protect from possible breaches and internet threats.
Clear policies and conditions:
Consumers should be given obvious terms without any vagueness in the statements. There should be checkboxes available for the users saying ‘do not sell my personal information’. This consent is mandatory for companies dealing with user data. In the case of illegal use of data, the consumer can sue the company and will be subjected to hefty cost that could range from $2500 to $7500 per violation.
Online Businesses and CCPA norms:
Starting from social media networks, a large number of companies use social media customers’ traits for decision making of their online shopping business. Similar companies are aware of this trend and prefer the consumer data t evaluate the user behavior on certain aspects. That could help them generate more revenue by analyzing the interest of the user and providing them what they actually need. Online marketing sites and information providers are adopting these norms to provide their customers with what want at first sight. The search engines lie in this category and are surely be affected by California Consumer Privacy Act.
The increasing inclination of CCPA norms, to comply KYC (Know Your Customer) and AML (Anti Money Laundering) regulations, online businesses are using identity verification services to authenticate the third parties and end-users using multiple means that include, id card verification, face verification, biometric authentication, AML and PEP related background checks. Otherwise, businesses have to face online fraud and payment scams which also include data breach and similar cyber attacks.
‘GDPR Lite’ Concerned Businesses
Under the hood of CCPA also called GDPR Lite, which is going to be in effect from January 2020, there are some business specifications that depict which business is applicable for the imposition of CCPA. Businesses do not have the sole intention of getting profit while posting products for sale, but the user data is used and processed by several data generation companies and brands through which user behavior is analyzed which makes more sense for the business executives and information officers to invest their money. The legitimate businesses having following attributes are considered liable for CCPA compliance:
- A business that generates $25 million of annual revenue
- A business deal with data of 50,000 California consumers
- The business who’s 50% revenue generates in buying and selling of consumer data
Aside from these basic stipulations, businesses that deal with California consumers operating from anywhere in the world are also imposed for this compliance. To maintain legitimacy among business norms, U.S companies will be in dire need of complying with the imperative requirements of CCPA to keep their business free from regulatory fines and monetary loss. CCPA not only confines the liability of user data but provides reliability and soundness in the system which businesses hold for the sake of implementing security and complying with the local regulatory authorities.