This past year, we took a serious look at our privacy policy to ensure that we were doing right by our website visitors and that our clients were also upholding security best practices. While we understand that GDPR may not apply to our audiences directly, we also recognize that it’s a good standard for our business. With California’s recent introduction of the California Consumer Privacy Act (CCPA), the standards set by GDPR may have just been the first step toward being prepared for compliance regulations in the US. How does the CCPA compare to GDPR? And what should you be doing to keep your business protected from non-compliance?
What is CCPA?
California has been the leader in streamlining legislation and regulations for the safety of its residents for years — specifically regarding data security. That’s why it’s no real surprise that they’re the first state to develop and pass a privacy act that puts securing consumers’ personal information at the forefront.
The CCPA — which went into effect January 1, 2020 — ensures that California residents have a right to learn what data companies collect about them and opt out of their data being collected. They also have the power to ask companies to delete any stored data and restrict the sale of their data. This applies strictly to California residents. While the full impact of this act is still being determined, there are a few ways this will directly impact US businesses.
CCPA vs. GDPR
Similar to GDPR, CCPA applies to a specific group of people. GDPR impacts anyone targeting EU data subjects, while the CCPA protects California consumers. Even though targeted individuals may differ slightly, both regulations protect natural persons compared to legal — or artificial — persons.
GDPR focuses on ensuring businesses are prepared for data breaches and take the right steps if one occurs. Instead of the proactive approach, the CCPA focuses on the punishments of what can happen to a business if they experience a data breach. Consumers in California have the right to sue a business for losing their information in a breach if negligence is involved.
Perhaps the most prominent difference is how each regulation treats opt-out requests. The GDPR does not require businesses to opt out of selling personal data; rather they allow for data subjects to remove their consent for data processing activities and third-party marketing activities. However, The CCPA ensures that businesses and service providers comply with consumer opt-out requests and cannot sell their data for a minimum of 12 months after the consumer opts out.
3 Ways CCPA Can Impact Your Business
So, what does all this mean for your business? If you don’t currently do business with anyone from the state of California, and you don’t plan to ever do business with anyone from the state of California in the future, then it doesn’t mean anything — yet. Just like CCPA passing fairly soon after GDPR, you can expect that most other states will follow their lead shortly. Until then, you can prepare for compliance — along with anyone else doing business with California residents — by making these three changes:
1. Add a link to your site homepage that says, “Do not sell my personal information” if your site features registered user accounts, and there is a possibility you might resell user data from those accounts. This link should allow users to opt out of their data being sold for a minimum of 12 months. The link should be clearly visible and could be displayed in the footer next to your privacy policy link.
2. Comply with consumers’ opt-out requests. It can be frustrating to lose valuable user data — especially when trying to be helpful and show users related items that you think they may want — but it can be even more frustrating for a consumer to request that information be deleted and find out that it has not. Respect their choice and strictly comply with CalOPPA, CCPA, and GDPR regulations.
In some cases, you may be unable to delete stored data because it’s being used for administrative or legal purposes. If so, you must respond to consumers’ requests within 45 days. This can be extended to 90 days after consumer notification.
3. Do not reauthorize the selling of personal information until more than 12 months after the consumer has opted out. A lot can change within a year, but what shouldn’t change is how you handle the data of a consumer who has opted out of your data storage and sales.
Allegrow Helps You Remain Compliant
We’ve worked with hundreds of businesses across the medical, legal, cybersecurity, and HVAC industries, so we know the importance of securing data and meeting compliance regulations. We strive to help our customers become or remain compliant by implementing best practices across our website development projects.
For more information about CCPA, GDPR, and updating your privacy policy, contact us, or email your success manager.
*This blog post was written to provide general information about privacy policies and CCPA compliance. For more information, visit the links provided.