CCPA or the California Consumer Privacy Act came into effect on 1-January-2020. It is one of the first acts of this kind in the United States of America. CCPA is data privacy law regulated statewide in California. This law regulates how companies or firms around the world handle PI (Personal Information) of California locals.

Who does CCPA apply to?

CCPA law is applicable to any company or firm, whose annual gross profit is more than 25 million dollars or receives, processes, or transfers data from over 50,000 Californians annually or minimum 50% of annual revenue comes from selling Californians PI (Personal Information).

img1 1 1

What are the user rights under CCPA?

According to the CCPA, Californians are permitted with few important rights. Californians have the right to know, right to delete, right to non descrimination, and right to opt-out.

img2 1 2

What is data mapping?

Connecting a data field from one source to another data field in another source is Data mapping. Data mapping minimizes the possible errors, it helps making data systemized, It even helps tally the data.

The company should know the information that is being collected, then map the flow of data, and create an inventory. Lastly, have a method to classify the collected information.

img3 2 1

Personal Information

Any customer information that identifies, describes, relates to, is linked to, or could be related to, direct or indirect, to a customer or their household is defined as PI(Personal Information).

According to the CCPA, data doesn’t have to be directly related to an individual for it to qualify as personal information. Personal data may also include information linked to a household or an individual’s device.

Steps to create Comprehensive Privacy Policy

table img11 1

Inform consumers of your intentions at or before the point of data collection.

table img12 1

Should be available in the languages in which your business provides information in California.

table img13 1

Make the information be available in either a banner or pop-up for when the user visits your site (consider using CMP).
Give an option for the user to Opt-Out (“Do Not Sell”)

table img14 1
Update the information and ‘effective date’ of the policy every 12 months.
table img15 1
Ensure the date of the last update is clearly visible.
table img16 1

List all the categories of personal information your business has sold in the past 12 months.

An option to OPT OUT

Customers need to have an option to opt out. This has to be easily accessible to the customers.

table img21 2

Include a “Do Not Sell”- Link (Opt-Out) easily available on your homepage (use ‘Consent Management Platform’)

table img22 2
Minors : Obtain explicit consent (opt-in) from parents or legal guardians before processing minors’ between the ages of 13 and 16 personal data.
table img23 2

Ask for opt-in again, only 12 months after the consumer has opted-out.

Consumer Rights Requests

Every Californian has the right to object in selling their PI (Personal Information) to any third party. Additionally if a consumer had denied or objected in selling their data, the company cannot ask the customer to consent again for next 12 months from the date of objection.

Let us see how a company can provide Consumer Rights Requests.
table img31 1

A System has to be setup to submit Consumer Rights Request – Provide at least two contact options e.g. toll-free phone number, webform, Email.

table img32 1
Enable consumers to attach evidence when submitting a request to verify their identity and proof of residency.
table img33 1
Set up a system: to verify such requests
table img34 1
In the case your business cannot reasonably verify the identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified
table img35 1
Keep records of all requests and your business responses for 2 years.
table img36 1

Response Time – Standard Period: within 45 days, Extended Period: up to 90 days

Data security

To fulfil the CCPA regulation, the security team needs to work closely with the database administering team, and a high level data security needs to be provided to the customers. Let us see how a company can achieve this.

img4 1 1

Contact us to know more about how Techpearl experts can develop software products which satisfy the regulations of California Consumer Privacy Act.

Read More Articles

Serverless application
AWS Serverless

Serverless Application

Serverless architecture is a software design pattern where applications’ hosting is outsourced to a third-party service provider, eliminating the developer’s need for server software and

 Contact Us Now

Talk to us to find out about our flexible engagement models.

Get In Touch With Us