California Consumer Privacy Act (CCPA) and you
The California Consumer Protection Act or CCPA became effective on January 1, 2020. This act, while mandated for California, applies to any company that does business with a California company, has California resident customers, or collects any personal data of a California resident for any purpose (customer or non-customer).
The mandate basically says that companies that fall under this ruling (most every company) must have to prove they are taking appropriate measures to either protect the data consumers agree to share with them or avoid collecting or sharing the personal data of consumers who decline permission. This personal data includes:
- Credit card numbers
- Real names
- Postal addresses
- Social security numbers
- Income or similar information
- Browsing history and search history
- Commercial information
- Political affiliations
- Education information
- Religions affiliations
- Unique personal identifier / account name / online identifier
- Driver’s license number
- Geolocation data
- Biometric information
- IP address or other device similar identifiers
- Passport number
- Other identifiable information
- Provide notice to consumers at or before they collect personal data
- Allow consumers to opt-out, read, and delete their personal data from the business’s storage. Companies must provide a “Do Not Sell My Personal Information” link for opt-out requests
- Respond to consumer requests within specific time-frames
- Show consumers privacy settings that signal their choice to opt-out
- Verify the identity of consumers who ask to read and delete their information, even if they have a password-protected account with the business
- Disclose financial incentives for retaining or selling the consumer’s personal data and how they the value that data
- Maintain records of all access requests for 24 months, as well as how the business responded.
California residents now have the following rights:
- The right to know what personal information is collected, used, shared, or sold, both as to the categories and specific pieces of personal information
- The right to delete personal information held by businesses and their vendors
- The right to opt-out of the sale of their personal information and direct a company to stop selling their information. Children under the age of 16 must provide opt-in consent. Children under the age of 13 require the consent of a parent or guardian.
- The right to non-discrimination when a consumer exercises privacy rights under the CCPA.