This article is written to help inform individuals about the CCPA regulations. Please review the laws on your own, as well as have a lawyer or data security professional help you identify needs and process regarding the regulations.
On January 1 a new set of regulations known as the California Consumer Privacy Act will begin to take place. These new regulations will cover residents in California that have had their data obtained by large-scale companies.
Not all companies are required to be compliant with the laws and guidelines of CCPA. Review the following standards to see if your company is required to be compliant.
According the the bill known as Assembly Bill #375 “Business” means:
A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
AB-375 also states, a “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
Companies do not have to be located in the state of California, similar to regulations of GDPR for companies not having to be located in Europe to be held responsible when dealing with consumers from these areas.
AB-375 covers what personal information means according to CCPA.
The bill states “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in subdivision (e) of Section 1798.80.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.(I) Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
For our company, we currently do not meet any of the current requirements for CCPA. We will still be as transparent as possible to comply with the provisions for GDPR. We do use Google AdSense and have been working with them to meet the needs of consumers in the EU for GDPR, as well as residents in California regarding CCPA. Our company has requested that Google AdSense restrict data processing for our visitors.
CCPA and GDPR have similarities and differences when it comes to data privacy. Both sets of regulations require companies to provide consumers with transparency on how to manage their personal data.
Roland Costea has compiled an online Udemy course to obtain entry level certification on knowledge regarding CCPA and GDPR.
Cognizant has services to provides companies that meet the needs of the CCPA guidelines. Watch the following YouTube video for more information.