One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
The California Consumer Privacy Act (CCPA) is a complex law that requires businesses to make significant changes to the way they treat California residents’ personal data. Becoming CCPA compliant is not a quick, one-day project, but for those who want a quick summary of the CCPA’s requirements, they can be divided into three major categories: Posting privacy notices, responding to consumer requests, and implementing data security measures.
This is just a starting point to understand how the CCPA works and what your business must do to be compliant. To learn more, read our Complete CCPA Guide or browse our CCPA Resources Center for other in-depth CCPA articles.
Determine whether the CCPA applies to your business ›
The most immediate of the CCPA’s requirements is for businesses to make extensive disclosures about their data privacy practices. Whether it’s online or at a brick-and-mortar store, before collecting consumers’ personal information, businesses must inform them of the following:
There are also additional notices that businesses must provide if they buy, sell, share, or receive the personal information of 10 million or more consumers annually.
Read more about the CCPA’s privacy notice requirements ›
The CCPA gives consumers the right to make several types of privacy requests to businesses that collect their personal information. Here are the five types of CCPA requests:
Each of these requests has its own set of rules, deadlines and verification requirements that must be met, as well as numerous exemptions.
Read more about how to handle CCPA consumer requests ›
The CCPA is enforced by the California Attorney General, and soon by the California Privacy Protection Agency as well. Consumers cannot directly sue businesses for violations of their privacy rights, but the CCPA does create a private right of action related to cybersecurity and data breaches. Consumers can sue businesses when their nonencrypted and nonredacted personal information is subject to unauthorized access due to a business’s failure to implement and maintain reasonable security procedures.
Consumers can recover up to $750 in statutory damages per incident without showing actual damages. This will certainly lead to class-action lawsuits in the future.
The effect of creating this private right of action is that businesses are on notice to (1) encrypt and redact personal information wherever possible and (2) implement and maintain reasonable security procedures.
Read more about the CCCPA’s private right of action ›
Though this list does summarize the CCPA’s requirements, there is much, much more information needed to become CCPA compliant. Start with our Complete CCPA Guide to learn the basics of the data privacy law and find answers to foundational questions like what is personal information and what is a sale of personal information.
There is also a lot of work that must be done before even beginning to make all the required privacy notices. In order to fully understand exactly what personal information your business collects and how it uses that information, you must first create a data map. This is where most of the work of becoming CCPA compliant takes place. The good news is that once the data map is completed, the rest of the process is considerably easier.
Read more about the process of becoming CCPA compliant ›
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.