Compliance Blog

What Organizations and Employees Should Know About the California Consumer Privacy Act (CCPA)

March 11, 2021 | Sarah Way

CCPA

The  California Consumer Privacy Act (CCPA) gives California consumers more control over how businesses collect, use and share personal information about them. California is at the forefront of states defining privacy standards and individual consumer rights in the digital age. Providing CCPA training  ensures employees understand how to handle personal information appropriately and the consequences for violations.

What is the CCPA?

Unlike Europe, the US has not created a uniform set of privacy rights. Instead, state and federal laws create a patchwork of rules – often creating gaps that leave organizations with wide discretion in handling personal data. Data privacy laws like the CCPA and Europe’s General Data Protection Regulation (GDPR) that give consumers more control over how businesses collect, use and share their personal information aren’t going away – and are likely to become more common. The CCPA:

  • Grants certain rights to “consumers” – defined as individual, natural persons, living in California.  
  • Protects “personal information” – information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. 
  • Applies to for-profit entities that do business in California, handle the personal data of California consumers or households, and either:  
    • Have a gross annual revenue of over $25 million, or 
    • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices, or 
    • Derive 50% or more of their annual revenue from selling California residents’ personal information.

Roughly paralleling the GDPR, the CCPA gives California consumers the ability to understand whether and how personal data is collected – and the right to demand that businesses leave their personal information alone. This includes:

  • The Right to Know.  This right means that consumers can require businesses to tell them what personal information the business has collected, used, shared, or sold about the consumer, and  why they have done so. 
  • The Right to Delete.  This right means that consumers can require businesses to delete personal information they collected and to tell their service providers to do the same.   
  • The Right to Opt-Out. This right means that consumers can stop businesses from selling their personal information.
  • The Right to Non-Discrimination. This right means that businesses cannot deny goods or services, charge consumers  a different price, or provide a different level or quality of goods or services just because they exercised their rights under the CCPA.

The CCPA stands out because it seeks to create a uniform set of rights and standards that apply to every California consumer and every kind of personal data. And given the importance of data in today’s business environment, the CCPA standards can impact every part of an organization – from IT to sales, marketing, product development and customer service.

What does all this mean?  In part, it means that organizations need to create operational systems and make other changes to accommodate the CCPA’s requirements, including: 

  • Implementing policies and processes to respond promptly to consumer requests 
  • Ensuring vendor agreements require service providers to handle personal data appropriately 
  • Updating data security measures, as needed
  • Providing CCPA training

CCPA Training

While policies and processes are essential in CCPA compliance, so is the human element. Effective CCPA training helps ensure that employees understand that:

  • Handling personal information appropriately is now a matter of law – not just a courtesy or policy. 
  • California consumers have rights regarding how their personal data is used and those rights can touch many business operations.
  • Taking shortcuts or ignoring a policy could lead to data privacy violations – even if the policy doesn’t have “consumer privacy” in its name.
  • Raising questions or concerns can help the organization navigate through new legal requirements and avoid potentially costly consequences.

Traliant Insight

Data privacy laws like the CCPA and GDPR that give consumers more control over how businesses collect, use and share their personal information aren’t going away – and are likely to become more common, as more states implement new privacy laws. Taking necessary steps now – including training employees on data privacy principles – will help organizations comply with the CCPA and prepare to more effectively respond to future data privacy requirements.

Sign up for a free trial of our CCPA Training course: