CCPA: The Smart new regulatory act to data privacy

The CCPA which came into action from January 1, 2020; is the California Consumer Privacy Act which aims at preserving the data on consumers’ rights related to access, deletion of their Personal Information (PI) that is collected by the businesses. The CCPA was expected to be in effect within 30 days from its amendment.

However, it’s important to note that, these are not applicable to just any start-up type of business or e-commerce platforms but are specific to business organizations which have an annual gross revenue of over $25 million or the organization buys or receives for its own commercial reasons, or sells or shares for commercial purposes, PI from at least 50,000 devices, households or consumers per year or it makes at least 50 percent of its annual revenues from selling or sharing consumers’ PI.

So how does it work for data privacy?

If you own a business that qualifies to follow the CCPA, then you are supposed to take care of the fact that the privacy policies must inform each and every consumer about their rights. Below are the five key rights to the consumers of California:

            Right to know: Let’s consider an example, Maria had filled up a form with a car care company for the maintenance of her car. Even after the one-year contract with them, she notices that, she’s getting calls from various other companies proposing her deals on varied products. Here, she has every right to question the car care company about where, how and why her PI was distributed and she is entitled to receive convincing replies within 45 days according to the CCPA. If not, then the car care company is subject to pay the penalty for non-compliance of the act. Hence, A consumer has the right to have every information about where, how and why his data is being distributed to third party companies for various schemes and other advertising related stuff which can be non-essential to the consumer. So, if questioned, the business distributing PI should have a convincing answer for the same.

Right to be forgotten: Taking the same example discussed above, if Maria has filled up a form with the car care company, she expects that her data be confidential and not subject to distribution without her knowledge. So, she has the right to be forgotten after her concerned work is completed.

Right to optout: you as a consumer have every right to opt out of any subscriptions or promotional advertisements which are been linked sourcing your information from a website where you have shared your data for a purpose.

Right to access or delete: It should be entirely a consumer’s call to provide the access to a specific site. Whether the person wants to share PI should be totally their own call. And after sharing a data, the consumer should also be given the privilege to delete data as per his choice.

Right to Equal service or non-discrimination: This is a common scenario observed. Many a times while you access the online websites for shopping, the e-commerce websites have some tempting schemes available, if you agree to link some of your social media accounts or permit them access to your contacts list, disagreeing to which, you are not eligible to be benefitted with any of the tempting discounts or offers. This mayhem can be corrected by complying to CCPA.

So, does it mean that the CCPA is applicable to only consumers residing in California alone?

CCPA is not just aimed at businesses based at California alone. It caters its protocol to any business that processes the personal information of consumers in California. Which also means that, if you have your services enabled in any part of California, you are entitled to be covered by the CCPA. If you have a website that uses any kind of data of consumers information like, someone’s Full name, Employment details, Geolocation so on and so forth, then you are entitled to be upgrading your data architecture with respect to the new rules and protocol of CCPA and adhere to its requirements and abide by it.

            So, how would it impact the for-profit business who comply for and what’s the penalty in non-compliance to CCPA?

It’s very important for all the business companies which deals with innumerable data and generate huge revenues from it, is to maintain transparency with disclosure of each data, its usage, period and expiry of the same by upgradation of privacy policies time to time. This enables to strengthen the core capabilities across pillars of an organizational matrix: People, Process, Governance, Technology and Privacy-security. The businesses have to make several amendments like spending an exorbitant amount on additional technology and tools involving very high expenses to be CCPA compliant. If there’s a security breach, then the business organization in question it is entitled to pay to the consumer a huge penalty of $2500 per unintentional violation that can soar as high as $7500 per intentional violation. Which means, each time the authenticity of the consumer’s PI is questioned, each time the penalty is approved. So, if you own your website, you would need to update the privacy policy every 12 months.

            So how is the GDPR different from CCPA?

There are some striking similarities of CCPA with respect to the other regulatory bodies like GDPR for European Union in terms of the fact that both are vouching to keep the consumer rights preserved. And there are few laws which can be stated as matches of each other. However, there are few of the highlighted differences as well. General Data Protection Regulation(GDPR) for EU serves for regulation and applies to the data controllers which covers a wide spectrum of areas, like: Regulating data processors (service providers), Principles of data processing, Legal bases for processing, Specific data security measures, Appointing a data protection officer, Empowering data protection authorities, Certification schemes and codes of conduct, Overseas transfers. For a matter of fact that, the length of the draft for each of them; CCPA is almost 10,000 words draft whereas the GDPR is multiple times of it. So, the details and intricacies are more in GDPR. The GDPR requires data controllers to publish a comprehensive Privacy Policy whereas, The CCPA requires businesses to publish a specific Privacy Policy about their personal information trading practices. The GDPR provides a broader set of rights that allow individuals a high degree of control over their personal information whereas, The CCPA provides some of these rights, but with more exemptions for businesses. The GDPR and CCPA are enforced via a different system of penalties.

            How is CalOPPA different than CCPA?

CalOPPA is the California Online Privacy Protection Act which mainly deals with the security breach created just online. Also, its laws are not stringent with respect to the ones discussed above for GDPR and CCPA. A promising proposal to each consumer with preserving his data privacy and thereby possessing the right to sue an organization on the failure in compliance to abide by the CCPA, it’s expected as a major movement, an initial move in maintaining a transparency in the various other laws and acts to follow.

Leave a Reply

Your email address will not be published. Required fields are marked *