The California Consumer Privacy Act of 2018 or CCPA is an important data governance regulation that affects how companies handle consumers’ personal information.
The CCPA is actually just one of several regulations that call for stringent data management practices. The European Union’s General Data Protection Regulation — better known as GDPR — puts forth similar requirements that companies must consider.
The CCPA is designed to empower California-based consumers, providing them with the ability to more effectively control the methods that are used to manage the data that companies collect. The CCPA applies to any and all businesses, websites and other entities that have dealings with California citizens.
What Does the CCPA Involve?
The CCPA actually has four key components that a business must consider in order to achieve and maintain full compliance. According to the official State of California website, those four “rights” of the CCPA are as follows.
- The Right to Know – An individual has the right to know about what personal information a business is collecting and how the website or business plans to use/share that information.
- The Right to Delete Data – Each person has the right to request the deletion of the personal information that they have provided to a company, website or other similar entity. There are a few exceptions to this particular point. Additionally, companies are required to provide at least two methods that a Californian can use to submit their request for data deletion.
- The RIght to Opt Out – An individual retains the right to opt out in the event that an organization wishes to sell their information.
- The Right to Non-Discrimination – A person retains the right to be treated without any sort of prejudice or discrimination as a result to excercise one or more of the aforementioned CCPA rights. In other words, they cannot be penalized or otherwise treated unfairly because they have exercised their rights to know, delete data or opt out of the sale of their information. A company is also not permitted to withhold offerings or use other tactics in an attempt to get an individual to waive these rights. According to the State of California website, “…any contract provision that says you waive these rights is unenforceable.”
If a citizen requests data deletion or opts to withhold personal information that is necessary for providing a specific product or service, the business does have the ability to withhold their offerings without running into issues associated with discrimination.
In addition to complying and respecting these four CCPA rights, a business is required to provide consumers with information on their privacy practices.
Notably, the CCPA does not apply to non-profit organizations and government bodies.
How Does the CCPA Impact My Business and its Data?
If your business is collecting data — any data, really — you ought to have a comprehensive data management plan. This data management strategy should include the careful consideration of a few different points, such as the following.
- How are we collecting data?
- What information are we collecting? And how sensitive is that data?
- What are we doing with the data we collect?
- Are we properly informing individuals about what we’re doing with their information?
- Are we encrypting and securing data against data breaches and other similar threats?
While the latter point on encryption and data breaches isn’t necessarily part of the CCPA’s requirements, it is absolutely part of a good data management strategy. Few things can damage a company’s reputation — and even their bottom line — like a data breach involving consumers’ personal information.
What Rights Do California Residents Have Via the CCPA?
Californians are allowed to ask a company to disclose what personal information they have collected and what they plan to do with that data. As mentioned above, a citizen can request to have their data deleted and they can decline to have it sold too.
The CCPA also empowers California residents to be notified at the time of data collection. The California Consumer Privacy Act calls for the publication of a “notice at collection,” which must be provided to consumers at the point when their information is entered and submitted. This CCPA notice must include the following information:
- A list of categories of personal information that is collected;
- The reason for collecting data;
- How the company plans to use that information;
- A “do not sell” link in the case that the company plans to sell users’ information.
This ties into “the right to know,” whereby a California native has the right to learn what specific pieces of information has been collected about an individual.
Discounts and Promotions for Collecting User Data
A company is allowed to offer discounts or promotions in exchange for a user’s information — including saleable personal information. But according to the CCPA site, the financial incentives can only be offered if it “is reasonably related to the value of [the] personal information” that the business is collecting.
The official CCPA website also tells California residents that, “If you ask a business to delete or stop selling your personal information, you may not be able to continue participating in the special deals they offer in exchange for personal information. If you are not sure how your request may affect your participation in a special offer, ask the business.”
How to Avoid CCPA Penalties and Fines for Your Business
Many companies wonder, “How do I avoid these fines and penalties arising from the CCPA?” The following points are usually key to avoiding CCPA penalties.
- Understand what data is collected.
- Know how, where and why that data is being used.
- Identify exactly where that data is stored.
The latter point — knowing precisely where specific bits of a user’s data is stored — represents a common and very problematic stumbling block. Prior to the 2018 California privacy law rollout, there wasn’t much need — or motivation — for a business to secure and safeguard the information that they have collected from users and prospective customers/clients.
Pre-CCPA, a business was essentially free to store data wherever and however they saw fit. There was little attention given to where that information was stored or what measures were in place to offer security and protection. You were free to collect and store data in nearly any manner you saw fit without risking any adverse impact on your company. But today, the CCPA requires a business to disclose:
- Categories of personal information that is collected;
- Specifics on what bits of personal information were collected;
- Overview of why the data is being collected;
- “Categories of third-parties” that will be purchasing the data; and
- “Categories of information” that your company will be disclosing or selling to a third-party.
This probably leaves you wondering, “How do I address all of these issues and avoid CCPA fines and penalties?” The solution is actually rather straightforward in many instances. Machine learning solutions such as those implemented by iTech can offer a convenient and effective solution to avoiding CCPA fines.
How Can You Use Machine Learning to Avoid CCPA Penalties and Fines?
Machine learning technology can be very effective for helping a business to locate, identify and index data, including the personal information that many companies usually collect from current or prospective consumers.
A well-architected machine learning algorithm will lead you to the exact pieces of data that you need in a situation where an individual has decided to exercise their right to deletion. In these cases, you need precision technology to track, secure and protect data in a way that is fully compliant.
Machine learning holds the potential to transform a company’s data management practices and it is a technology that improves and evolves over time, bringing greater benefits and ROI. At iTech, we know what it takes to succeed with machine learning-driven data indexing and other related technologies.Contact the iTech team today to discuss your data management needs.