What Is CCPA and How Can Your Company Be Compliant?
With less than a year away from the official implementation of the California Consumer Privacy Act (CCPA) on July 1, 2020, local businesses are starting to migrate over to compliance. What’s the breakdown of the United States’ most stringent data privacy regulation yet? What is its approach to protecting personal data and PII? How will it affect your company? What can you do to get compliant by the time the law goes into effect?
CCPA and How It Defines Personal Information
CCPA explicitly states personal information to be:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
That’s quite a mouthful. If you’d like a less jargon-y look at what constitutes personal information, check out our blog post on personal identifying information (PII).
In many ways, the sale of PII to marketers and other third parties is what allows the ecosystem of free mobile apps to flourish. However, it also opens up consumers to data misuse, identity theft, and a large number of other digital threats. Basically, CCPA opens up the definition of personal information to be anything that could be used to map out a person’s digital personality (think information you provide on your social media profile, your profession, your purchase history, previous websites visited). This builds off of the traditional definition of address, phone number, social security number, bank account/credit card numbers, etc.
Who Does CCPA Protect, and How?
CCPA protects residents of California, by extending to them more visibility and control over how their personal data is treated. First of all, businesses must notify consumers that their personal information will be collected. They must be completely transparent with regards to what they intend to do with that data. They must provide the names of third parties who will be receiving it.
Users have the right to opt out of having their information sold at all times, and businesses are required to post a link on their website that users can click on to opt out. Similarly, businesses must delete all of a consumer’s personal information that they have collected, if that consumer requests.
Does CCPA Apply to Your Company?
Ultimately, CCPA intends to hold businesses responsible for the security of the user data that they’re building their business model on. If you are a for-profit company that either processes the data of California residents or does business in California, CCPA applies to you if you are one or more of the following:
- Your annual gross revenue is more than $25 million
- You buy, receive, sell, or share the PII of at least 50,000 users
- You take at least 50% of your annual revenues from selling user PII
How Can You Become Compliant?
As technology’s ability to read and process personal data becomes more encompassing, data privacy laws will have to extend their reach. And while CCPA may only cover California for now, other states will not be far behind. So if your mobile app processes user data in any capacity, it’s worth your while to get informed.
The aim of CCPA is to increase both transparency and security surrounding consumer data. To start off, you will have to give users the option to opt-out of having their data sold. This means including a “Do Not Sell My Personal Information” link in an easy-to-find place on your website’s homepage, which will take users through the process of opting out of having their data sold.
For minors between the ages of 13 and 16, you will have to obtain their consent before you sell their data. And for children under the age of 13, you will need a parent’s or guardian’s consent.
- Type of information you collect and process
- For what purpose that information is used
- How you collect and process the information
- Third parties you share the information with
- How users can go about requesting access or deletion of their PII
- What method you use for identity verification of users who submit requests
- How users can opt out of their personal data being sold
- Lists of PII that has been sold in the past 12 months
CCPA takes its inspiration in many ways from the EU’s GDPR. So if you’re familiar with the rules surrounding GDPR, you probably have a good idea of what to expect from CCPA. Still, the fine for violations of CCPA can be up to $7,500 per violation, so it’s without a doubt in your best interest to do your utmost to ensure that your company is compliant.
While every company has to do their own due diligence to ensure they’re handling user data in a responsible and compliant way, when it comes to mobile apps, OpenBack has you covered. Our patent-pending SDK is GDPR, HIPAA, and COPPA-compliant by default. OpenBack’s mobile engagement platform lets your app leverage device-side user data. The data never has to leave the individual devices, meaning your users won’t be vulnerable to data breaches and other risks of keeping data in cloud servers. OpenBack lets you specifically select which data regulations you want to follow (although CCPA is not yet one of our options), and allows for immediate deletion of user data if requested.