US-CCPA Implementation

The California Consumer Privacy Act (CCPA), a first of comprehensive data-privacy legislations
in the US, was introduced in 2018 and has been enforced from January 1, 2020 by the State of
California. The legislation seeks to establish the procedure for identifying, managing, securing,
tracking, producing and deleting consumer privacy information so as to protect the privacy
rights of the users.

Scope of CCPA Regulation

CCPA includes within its ambit the entities that do for-profit business in the territory of California involving the personal data of the Californian resident where the business meets one of the thresholds:

  • annual gross revenue over US $25 Million;
  • receive or disclose the personal information of 50,000 or more California residents;
  • or derive 50 percent or more of their annual revenues from selling California residents’ personal information.

This legislation operates for the protection of person data which has a broad interpretation, including items such as phone numbers, social security numbers, biometric information, and Internet Protocol (IP) addresses.

Compliance Obligations

CCPA puts various obligations on the business entities to ensure protection of personal information from unrestrained transfers and processing.

  • Firstly, all business entities must public a Privacy Policy complying with the CCPA Rules which must be updated at least once every 12 months.
  • They are also obligated to ensure that consumers are provided the information relating to the processing of their personal data.
  • In the interest of maintaining transparency consumers must be notified before or at the point of data collected that the permission is being asked to collect the specified data.
  • The consumers have to be granted the right to access the personal information that the entity holds.
  • It is the obligation of the entity to lay down the procedure for making requests and similarly, an opt out option for “Do Not Sell My Personal Information” must be maintained by the entity to enable the exercise of the consumer rights.
  • A data Inventory has to be maintained by the entity to track data processing history.

Penalties

Corresponding to the obligations laid down under CCPA, there is a provision for the imposition of penalties for accountability and compliance under the regulation. The strictness of the penalties varies with the intent, frequency and severity of the non-compliance by the entity. CCPA mandates maximum civil penalties of $7,500 for intentional violations of the CCPA whereas maximum civil penalties of $2,500 can be ordered for unintentional violations of CCPA.

Enforcement Mechanism

Under CCPA, the Office of the Attorney General of California has been granted exclusive authorization to bring civil actions against entities not complying with the obligations laid under CCPA such as failure to maintain CCPA compliant privacy policy or address Consumer requests etc. Alternatively, consumers also have the private right to action to pursue a civil claim within the jurisdiction of a Court only when their unencrypted or un-redacted personal information is breached.

Benefits of the CCPA Compliance Program

As part of our CCPA compliance program, we help you to:

  • Comply with California Privacy Laws efficiently and effectively.
  • Recognize, Access and Strategize Personal Data within your organization
  • Adapt, Improvise and leverage your existing privacy compliance in order to comply with CCPA
  • Respond to Data Subject Rights and Fulfil Business obligations under CCPA
  • Policy and Notice Management and maintain data privacy structures within the organizations.

Get in touch with us