CCPA and what it means for your organisation

The CCPA, in a nutshell, is America’s first state-enacted privacy law, California’s own version of the General Data Protection Regulation (GDPR), the European data privacy law. Data protection is more important than ever before, and navigating the laws and ensuring compliance is extremely vital for the success and integrity of your business.

But we know it can get confusing. And that’s why Award Force, who is both GDPR and CCPA compliant, is here to help make sure you and your awards program, as data collectors, are ready to meet the new requirements.

Important: This article is not legal advice, nor an exhaustive guide to CCPA compliance. If data protection regulations are applicable to your program you should familiarise yourself with the regulations and seek legal advice where necessary, particularly if your program is collecting personal data. 

What is the CCPA?

The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The CCPA becomes effective on 1 January 2020.

The CCPA provides California residents with the right to: 

• Know what personal data is being collected about them
• Know whether their personal data is sold or disclosed and to whom
• Say no to the sale of personal data
• Access their personal data
• Request a business to delete any personal information about a consumer collected from that consumer
• Not be discriminated against for exercising their privacy rights

And, it defines personal information (PI) as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  

This can include but is not limited to a person’s: 

• IP address
• electronic network activity information, including browser histories, search history, and any information regarding a consumer’s interaction with a Web site
• audio, electronic, visual, thermal, and olfactory information
• geolocation data

How will it affect businesses? 

The CCPA applies to any business that collects consumers’ personal data, which does business in California and meets at least one of the following thresholds: 

• Has annual gross revenues in excess of $25 million
• Possesses the personal information of 50,000 or more consumers, households, or devices
• Earns more than half of its annual revenue from selling consumers’ personal information

What happens if I don’t comply?

Any company around the world that handles the personal data of California residents will need to comply with the new requirements or be subject to some heavy punishment.

Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).

A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).

What should you do right now? 

• Review the CCPA. While it is similar to GDPR, there are differences between CCPA and GDPR privacy laws.

   

• Review your privacy policy. Be sure it includes:

   

• a description of California residents’ rights.
• Processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes.

   

• Provide a “Do Not Sell My Personal Information” link on the home page of your website to direct users to a web page enabling them to opt-out of the sale of the resident’s personal information.

   

• Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number.

   

• Avoid requesting opt-in consent for 12 months after a California resident opts out.

   

• Ensure your software partners are compliant.
  Award Force has updated its Privacy Policy to include the requirements of the California Consumer Privacy Act and features information about the platform security for our clients.

While the CCPA will require additional steps for data collectors and controllers, it does represent new ways to better protect consumer privacy and provide a safer experience for all your program participants. 

Award Force fully respects the rights of individuals and households to their privacy. We will never sell your data to third parties or collect unnecessary data in our dealings with you as interested parties, clients or users.