Frequently Asked Questions About the CCPA
CCPA stands for California Consumer Privacy Act, which took effect on January 1st, 2020. Its purpose is to govern how businesses handle the personal information of California residents.
This article will walk though 7 FAQs (Frequently Asked Questions) about the CCPA, as well as how AVADA will help you comply with this law.
NOTE: The information provided here is intended to be educational and should not be constructed as legal advice. AVADA encourages all of our customers, as well as all E-commerce merchants, to seek legal advice for counsel on how they specifically should comply with the CCPA.
7 frequently asked questions about the CCPA
1. What is CCPA?
The California Consumer Privacy Act, or CCPA, is a privacy protection law voted in by California lawmakers in 2018. It is a response to a perceived gap in comprehensive privacy protections in the United States.
Companies that handle the personal information of California residents are required to inform residents of their privacy practices and offer residents the ability to:
- Access the information that you maintain about your contacts
- Delete that information in certain circumstances
- Direct you not to share their information with 3rd parties for those parties' own purposes.
The law also restricts the resale of personal information. It requires that individuals receive notice that their personal data will be resold and are given an opportunity to opt-out.
2. Who must comply with the CCPA?
Most CCPA requirements apply to "businesses" - companies that collect users' personal information (on their own or using vendors) and use the information for their own purposes. These businesses determine "the purposes and means" of processing personal data.
The CCPA applies to any "business" that:
Handles California residents' personal information
Is "doing business" in California (i.e., engaging with individuals located in California through an E-commerce or interactive website or app)
Satisfies one or more of the following thresholds:
+ Has annual gross revenue of $25 million
+ Handles (obtains, sells, or shares) personal information of 50,000 or more California-based consumers, households, and devices manually
+ Gets at least 50% of annual revenue from selling California consumers' personal information (i.e., sharing or giving access to personal information to 3rd parties or those parties' own purposes)
The law also imposes limited requirements on "service providers'' - companies that process consumer personal information on behalf of a business. Businesses discloses personal data to service providers for a specific business purpose pursuant to a written contract. The CCPA requires service providers to process personal information only when necessary to provide their services.
3. What personal information is protected under the CCPA?
Under CCPA, "personal information" refers to information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a specific consumer or household.
Based on this definition, information covered by the CCPA may include name, address, social security number, email address, search history, IP address or geolocation data (this list isn't exhaustive).
4. Can a company refuse to comply with a consumer's request?
Yes, under certain conditions.
The CCPA obliges businesses to comply with consumer requests unless certain criteria are met. For instance, a business isn't required to comply with a consumer's request to delete their personal information if it is "necessary for the business to maintain the consumer's personal information." The CCPA lists the criteria that make it "necessary" to keep a consumer's information (i.e., to comply with a legal obligation, detect security incidents and more).
To be on the safe side, consider all consumer requests via the method you have established. Consult with your legal counsel to ensure you are allowed to refuse to comply on a case-by-case basis).
5. What are the consequences of violating the CCPA?
Under the CCPA, each business has 30 days to cure violations and inform consumers that they have done so. After these 30 days, if the business still doesn't comply, it can face a fine from $2,500 to $7,500. The business may also need to pay $100 to $750 per consumer per incident after civil action.
For instance, the minimum amount you might need to pay for violating the CCPA for 1,000 consumers is $1,000 *100 = $100,000, plus a minimum of at least $2,500.
6. What do you need to do to prepare?
The CCPA is a complicated law. This article provides the key obligations under the law for the benefit of our customers, but doesn't take into account all individual circumstances that may apply to your business. You should contact your legal counsel for specific advice. If the CCPA is applicable to your business, you should consider the following:
- Information regarding a user's right to access, opt-out (if the business sells personal data), right to deletion, right of non-discrimination for invoking the CCPA rights, and the right to designate an authorized agent
- Two or more methods for submitting access and deletion requests, including a toll-free number (nevertheless, certain businesses that operate exclusively online are exempt from the toll-free number requirement)
- A list of the categories of personal data it has collected about consumers in the preceding 12 months
- A list of the categories of personal data it has sold about consumers in the preceding 12 months (or if the business has not sold consumers' personal data in the preceding 12 months, the business should disclose that fact)
- A list of the categories of personal data it has disclosed about consumers for a business purpose in the preceding 12 months (or if the business has not disclosed consumers' personal data for a business purpose in the preceding 12 months, the business should disclose that fact).
Consumers have the right at any time to opt-out of the sale of their personal data to 3rd parties. As a business, you must stop selling personal data upon receipt of the request unless a subsequent express authorization is provided by the consumer. In order to offer this opt-out right, businesses must, among other things:
- Provide a clear and conspicuous link on the homepage of the business, titled "Do Not Sell My Personal Information." This link should enable a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer's personal information.
- Not require a consumer to create an account to direct the business not to sell the consumer's personal information.
If the consumer is less than 13 years old, a parent or guardian's affirmative consent (opt-in) is required before selling his or her personal information. If the consumer is between 13-16 years old, affirmative consent is required before selling his or her personal information.
Consumers have the right at any time to opt-out of their personal information being sold by a 3rd party who has purchased the consumer's personal information from a business. The 3rd party must stop selling upon receipt of the opt-out request unless a subsequent express authorization is provided by the consumer.
Access & deletion rights
Make two or more designated methods for consumers to submit requests for information required to be disclosed, and/ or deleted, including, at a minimum, a toll-free telephone number along with a web address (if the business maintains a website).
A business must implement processes in order to verify a California resident's identity before providing an individual with the right to access or delete personal data. Once a request is received from a California resident and their identity is confirmed, complete the following as applicable:
Right to access. Access disclosure must include, among other things:
+ The categories of personal data collected about that consumer (in the preceding 12 months)
+ The categories of sources from which the personal data is collected
+ Business or commercial purpose for collecting or selling personal data
+ The categories of 3rd parties with whom the business shares personal data
+ The categories of 3rd parties with whom the business shares personal data
+ Specific pieces of personal data it has collected about that consumer
Right of deletion. Erasure requests must be completed by the business and its direct service providers. However, a number of exceptions exist, such as where the information is necessary to complete a transaction, provide goods or services requested by the consumer, comply with a legal obligation, or protect against and prosecute fraud and other illegal activity.
Consumer requests must be addressed within 45 days of receiving the request, by mail or electronically (in a usable format that enables the consumer to provide it to another entity) or via a user account (if the request has an active account).
Response time may be extended by an additional 45 days (during the first 45 days) if reasonably necessary (based on complexity and the number of requests) and if the requestor is notified of the extension (detailing the reasons why).
The request process must be free of charge.
Businesses are not required to carry out more than 2 requests in a 12-month period.
7. What is AVADA's role under the CCPA?
AVADA has no direct relationship with the individuals whose personal data is stored within our system. AVADA serves as a service provider, while our customers are the businesses because we process end-user information on behalf of our customers.*
Updated on: 28/08/2021