As a business owner, you have a responsibility to protect sensitive customer information. Data is very valuable, and people have serious concerns about the safety and privacy of their data. The CCPA was created to empower consumers by giving them better control over the usage of their data that may be collected, used, stored, shared, or sold.
Here’s what your business should know about CCPA compliance and how Mosey can help you keep your data collection practices above board.
What Is the Importance of Data Collection for Business?
Although data collection, use, and sharing are controversial issues, consumer data is one of the most important tools to promote the growth of a business. Data helps businesses customize customer experience, develop better products and services, and create stronger ad campaigns. Unfortunately, many consumers don’t view this data collection strategy as positive.
The CCPA is a consumer protection counterargument to data collection policies. While it doesn’t forbid businesses from collecting customer data, it does place more control in the hands of the customers whose data may be collected.
What Is CCPA?
The California Consumer Privacy Act (CCPA) of 2018 is an act designed to protect the privacy and data rights of consumers. The CCPA requires businesses to be forthcoming about the data they collect and how they intend to use it, giving users, customers, or clients the ability to control what they’re comfortable sharing and give informed consent.
The CCPA is enforced through CCPA regulations, which have several core provisions that businesses must follow. These provisions were updated in 2020 and again in 2023 to give consumers a broader range of rights and increase responsibility for businesses:
Businesses cannot discriminate against people who choose to opt out of data collection.
Consumers have the right to request that a business delete, edit, or amend data they have collected about them.
Consumers have the right to know every piece of data a business intends to collect about them, how the business intends to use that data, and any third parties the business may share the data with.
Consumers have the right to limit the amount of personal information or data necessary to share.
Businesses may not collect information from users or customers under the age of 13 without parental permission.
These privacy rights continue to evolve as the State of California sees the need to fortify them. They may change or become more restrictive with time, which is why it’s important to remain aware of the evolution of data privacy rights. Keeping up with the rules and staying ahead can prevent noncompliance issues in the future.
Who Must Comply With CCPA Rules?
Although the CCPA is California law, it applies to any organization that may do business in California. If your e-commerce business sells products or services to California consumers, you may be required to comply with CCPA.
If your business meets any one aspect of the following criteria, CCPA rules apply to you:
- Your annual revenue is greater than $25 million
- You handle the personal information of 50,000 or more California residents per year
- 50 percent or more of your annual revenue is derived from selling personal information
If your business is established or registered outside of the state of California and you meet at least one of these criteria, you cannot conduct business with California residents.
You may need to place a visible disclaimer in several conspicuous places stating that your practices aren’t CCPA compliant, which may cause concern among your customers. Consider whether it’s best to place a disclaimer or to adopt CCPA-compliant practices.
Nonprofit organizations are exempt from CCPA rules, as are commercial enterprises that exist and operate completely outside of the state of California. CCPA rules don’t overtake other privacy or information protection laws, like the Health Insurance Portability and Accountability Act of 1996 (HIPAA). If HIPAA rules already apply to the protection of certain data, they will take precedence over CCPA rules.
What Are the Consequences for Non-Compliance?
If a business fails to enact CCPA laws and a data breach occurs, anyone whose data was collected or utilized by an organization outside of CCPA protocols is afforded the ability to sue the organization for its data practices.
California residents impacted by data breaches that result in the leak or misappropriation of unredacted personal information can claim a maximum of up to $750 per person per incident. Every impacted individual is entitled to the same compensation, even if the data breach didn’t cause them direct financial harm.
Consumers can send the business a notice at least 30 days before they intend to file a lawsuit and provide the business an opportunity to “cure” the situation, which essentially means settling out of court. If a solution cannot be reached outside of court, the consumer can move forward with a legal claim.
The California Attorney General has the power to hold non-compliant businesses responsible by imposing fines for data violations. Fines can be as high as $2,500 per violation if the violation is believed to be intentional. If the California Attorney General can prove that you were deliberately operating outside of CCPA protocol, fines can be as high as $7,500 per violation.
CCPA Compliance Checklist
If CCPA rules apply to your business, you need to ensure compliance with every aspect of CCPA. Compliance can be a lot for smaller businesses to navigate, making it important to streamline the process.
Breaking compliance into smaller parts makes it easier to implement a CCPA-compliant data policy and maintain compliance.
Define the Data You Collect
What types of data do you collect from your customers? How much of that data would be considered personal information? Why are you collecting it, do you really need to collect it, and who are you sharing it with?
Create a general data collection template that outlines the bare minimum of data that you need to collect and where that data will eventually end up. Maintaining a clear standard data collection profile and a map of where your data travels makes it easier for you to manage data privacy.
Create a Separate Policy for Minors
If you allow children ages 13 and under to use your website or services, you need to have parental consent before collecting their personal information. Determine how to obtain parental consent or, alternatively, reconsider age limits for your services. If your product or service isn’t specifically targeted at young people, this may not be an issue.
You may want to utilize a different policy for users aged 13 to 16. While users in this age range aren’t considered children under CCPA, they’re still minors, and it’s best to treat them with extra care.
The parents of minor children can still take issue with data collected about their underage children and argue on their behalf. It’s best to keep your bases covered in the event that parents become upset.
Write a Clear Privacy Policy
Your privacy policy tells your customer what information you’re collecting and what you intend to do with that data. Privacy policies should be long, thorough, and organized with lots of subheadings. Subheadings can help people navigate to the information they need, potentially saving you phone calls and emails with privacy-related questions.
Your privacy policy should give your customers the information they need to make informed consent when sharing their information about you. Your policy should also inform them of their rights under the CCPA. Inform them of how and where they can submit CCPA-related requests.
Create a System for Request Compliance and Opt-Out Provision
You must allow people to opt out of data collection. You’ll have to decide how and when to do that, how much information you should allow them to opt out of submitting or sharing, and how you’ll best assist customers who opt out. Remember: CCPA prohibits organizations from discriminating against people who decide to opt out of data collection.
The CCPA requires that businesses give customers the option to request for their information to be deleted or modified. It’s your responsibility to establish a system to accept and answer these requests in a timely manner. Assign someone to check request emails and comply with requests. It may be easier to make a request contact form to automate the process of receiving and answering requests.
Implement Data Security Policies
Your business needs a way to keep the data you protect safe from breaches. Consult with your IT team about secure data storage and work to create a disaster plan. It’s better to have a plan and not need it than to experience a data disaster and have no protocol for how to proceed.
You’ll also need to comply with all consumer requests. Storing these requests and documenting your answers to requests can be used to demonstrate your compliance with CCPA policy. Consider how and where to store records of CCPA-related communications.
Train Your Employees in Your Practices
Accidental privacy breaches happen all the time, especially by people who don’t understand the nuances of data privacy. Your employees should clearly understand the expectations of how they can use the personal information they have access to and how to keep personal information safe.
Employee missteps can easily cause CCPA violations, even if missteps are completely unintentional. It’s important to make sure that everyone is on the same page regarding your company’s data policy.
How Mosey Can Help You Stay Compliant
CCPA compliance is one of many compliance requirements that may impact your business. You’ll have a lot of state compliance issues to keep track of while you’re doing your best to help your business build and grow. Let Mosey help.
Mosey’s compliance automation tools help you keep track of compliance issues in the background. You can focus on your day-to-day operations while Mosey works to help you stay on track with important compliance issues.
Schedule a demo with Mosey to learn how we can help.