All You Need to Know About the California Consumer Privacy Act (CCPA)
As of January 2020 a new consumer privacy act is in place, affecting all California consumers and companies that do business or provide services to them. The California Consumer Privacy Act (CCPA) has a broader understanding of what falls under the “private data” category and sets out stricter and more elaborate restrictions in regards to that compared to the TCPA regulations.
What is the CCPA?
According to CCPA, it’s every California user’s right to demand a report of all the personal information a company has collected on them, and a list of all third parties this data is shared with (if any). If customers deem this as a violation of their privacy, the CCPA allows them to file a class action suit against the violator, even if an actual breach is not reported.
How Does the CCPA Define “private data”
In many aspects, CCPA is similar to GDPR, the data protection regulation in Europe. Some say that if a company is compliant with the GDPR, then it's basically just a couple of steps away from fully abiding by the CCPA.
Here is a full list of what is considered private data by the CCPA, as per Section 9, subsections O(1) and O(2) of the Senate Bill-1121:
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
Characteristics of protected classifications under California or federal law
Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
Audio, electronic, visual, thermal, olfactory or similar information
Professional or employment-related information
Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
Now that we’ve given you a complete overview of what constitutes “private data”, let’s take a look at two other areas of the CCPA that are of particular interest to businesses: how does it define “selling” of personal information and how to stay compliant with both TCPA and CCPA in the event of data deletion.
Definition of “Selling” Under the CCPA
CCPA has a rather broad definition of “selling” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
What this means is that even if there is no exchange of personal data where parties might benefit financially, “selling” could occur even when companies are sharing private information with third parties for any reason at all.
Keeping Records of Personal Information
According to the TCPA, the main act which is the main act which restricts telemarketing communications via voice calls, SMS texts, and fax, no company can contact US-based customers unless they have their prior written consent to do so, and a record of such data. In the case where customers request their information be deleted but haven’t opted out from receiving text marketing, the two acts could come in clash.
For those who have given their consent to receive text messages but then opted out to have their data “sold”, businesses could deny to delete the records in order to abide by the legal TCPA obligation to maintain an internal “Do Not Contact” list, citing the “comply with legal obligations” provision in the CCPA (Section 2, d(8)).
What Can Companies Do to Be Compliant with the CCPA
The CCPA gives complete guidelines on what businesses can do to respect the CCPA and all users who fall under it under Section 8.
If a customer does choose to opt out, according to the CCPA companies should refrain for at least 12 months from requesting that they authorize the sale of the consumer’s personal information.
How Does it Affect You?
All in all, the CCPA ensures that all California users’ private information is treated with extra care, and aims to limit any occasions where their privacy might be breached or their data - tampered with.
As such, the CCPA affects all businesses which, in any way, communicate with California customers, including text marketing, and will give customers more ways to have control over who has access to their personal data.