Summary of CCPA
In the era of data privacy, California has been gifted with the California Consumer Privacy Act (CCPA), a much-needed law that favors customers’ right to data privacy. The law gives customers rights concerning the collection and usage of their personal information. Signed on June 28, 2018, the bill is set to come into force on January 1, 2020. It applies to all businesses that employ Californians, sell products or services to the residents of the state and/or conduct operations there. Non-adherence will place businesses at the risk of paying up huge fines as dictated by the California State Attorney General.
Does CCPA apply to your organization?
- CCPA applies to any organization, all over the globe, that collects and uses the data of California inhabitants.
- It applies to your business if the parent/subsidiary organization meets at least one of the below
- The entity makes an annual gross revenue is at least $25 million
- The entity collects the personal information of at least 50,000 Californians, households, and /or devices per year
- The entity makes at least 50% of its annual revenue from selling California residents’ personal information
- CCPA does not take into account the size of a company. It applies to any and all businesses (small, medium and large) across the globe that collect and process the personal data of California’s residents.
A California resident is defined as any person who -
- Is in California for any purpose other than temporary or transitory
- Is domiciled in California but is outside the state for temporary or transitory reasons
A few key clauses under CCPA that benefit California residents:
The act guarantees certain rights to the California residents surrounding their personal data that is collected by businesses online:
- Right to know what data/information is being collected and processed online
Businesses must notify customers
- The personal data/information that they are collecting
- The reason that particular information is being collected and its intended purpose
Businesses must further notify customers
- If they intend to collect more information
- The intended purpose of the information
- Right of Data portability
- If a customer requests a business to disclose any personal information that it has collected, it must provide the same in a readily usable format so that the customer can transfer it to another organization/entity without hindrance
- Right to Deletion/Erasure (The right to be forgotten)
- A customer can request a business to delete the personal information that it has collected, subject to certain exceptions
- In such cases, the business must also notify its service provides, and the third-party organization that it does business with, to delete the customer’s data
- Right to opt-out of businesses selling/reselling customers’ personal data
- Businesses should give customers an opportunity to opt-out of selling or reselling their personal data to third-party organizations
- Businesses must house a “Do Not Sell My Personal Information” link in a visible location on their website homepage
- Businesses must observe a window of 12 months before seeking permission to sell/resell a customer’s personal data once they opt-out of it
- Third-party organizations must also notify their customers (or the customers of the business that sold the information to them) the category of personal data that they have collected and its intended purpose
Where will non-compliance take your business?
Businesses are given a 30 day-period once the Attorney General notifies them of a violation. In the event of non-adherence within the stipulated time frame, legal authorities can lodge a civil case against the business and fine them to $7,500 per violation.
How can Kogni address the CCPA challenge?
Businesses must take a comprehensive approach to CCPA compliance by implementing an all-inclusive enterprise data security tool. This tool can help them track the location and purpose of their customers’ personal information. It helps customers exert their rights to information, portability, erasure, etc., They can also manage opt-outs when they no longer consent to the sale of their personal information.
Kogni addresses these key CCPA requirements and sets organizations in the right direction for supporting data security and privacy programs that address the tenets of the regulation. Kogni does not just identify sensitive data; it also classifies, detects and monitors it. To support CCPA and other similar regulations, Kogni is equipped with the capability to map a user’s data across multiple data stores such that when the user makes a request for their data, it can be mapped across all possible data sources- both on-premise and in-cloud. Kogni also ensures compliance with data governance initiatives by monitoring for policy violations and deviations from established organization standards.
Data Subject Catalog- CCPA
Sort through Customer details using Kogni’s Data Subject Catalog
These capabilities make Kogni the most comprehensive, intelligent and advanced all-in-one data security solution in the market for complying with cumbersome regulations such as the CCPA.