Consumer Privacy And Your Business – What You Need To Know
Part 1 of 3 in the Privacy Act Series. Skip to Part 2?
Are you a business that sells products or services to consumers online? If so, then regulatory compliance with consumer privacy should be in your DNA. The California Consumer Privacy Act (CCPA), now largely known as the California Privacy Rights Act (CPRA) gives consumers control over their personal information which is available to businesses. According to the CCPA/CPRA, there are rules and regulations you will need to be aware of so you can stay squeaky clean in the eyes of the law, and I am here to help you with all their legal jargon so you can remain (or become) compliant.
What CCPA And CPRA Changes And Updates Have Been Established Beginning In 2023?
Think of the California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA) as the same thing, pretty much. Tightening the rules warranted a name change.
A Brief History: The CCPA became effective Jan. 1, 2020. The Group, “Californians for Consumer Privacy” almost immediately felt it wasn’t strong enough, and thus started a campaign to make it stronger and more protective of consumer rights, and to control the collection and use of personal information. Their campaign led to a citizen’s initiative ballot in 2020, called the CPRA, which built upon the CCPA, and strengthened and clarified the rules protecting consumer information – and updated the name to CPRA.
Here Is A Rundown Of Information You Must Disclose And/Or Make Available:
Right to Access, Deletion, and Correction: In Short - consumers must be able to obtain and delete their own personal information or have it corrected at any time, right away. If consumers ask you to delete your record of their information, you have to delete it AND if you have shared it or sold it, you must require the recipient of the information to delete it as well.
Additionally, you must provide consumers with a list of:
- Categories of personal information you have collected from them.
- Categories of sources where you collected their information.
- The business purpose for collecting their information.
- Categories of all third parties to whom you sell OR share their data.
Right To Object to Sale or Share: Consumers are able to prevent sale or sharing of their information. To make this visible and simple as required by the law, the use of a “do not share” button or link on your website can come in clutch.
Right To Opt-Out of Behavioral Profiling and Automated Decision-Making: Consumers can request that you stop profiling and serving ads based on their web behavior. They can also ask you not to use automated decision-making to serve them ads to make them offers.
Right To Object to the Use of Sensitive Personal Information: For personal data surrounding things like precise geolocation, religion, race, gender orientation, genetics, biometrics, sexual orientation, and content of communications, consumers can stop you from using all of that data. CPRA requires you to have a prominent button or link people can use to “limit the use of my sensitive personal information.”
Right to Data Portability: When instructed by the consumer, you must transfer any personal data you hold about them to another organization, “to the extent technically feasible, in a structured, commonly used, machine-readable format.”
Purpose Limitation: Personal data can only be used for the purpose for which it was originally collected.
Protection of Children’s Data: If you knowingly or unknowingly violate the privacy of children under 16, fines are now triple what they once were. Permission from a guardian is needed for the collection of a child’s data, and if you don’t receive consent to collect a child’s data, you must wait 12 months before requesting it again.
Storage Limitation: Data is required to be destroyed or deleted once the data has been used for its collected purpose.
Reasonable and Appropriate Security: Appropriate security levels must be implemented for personal data storage according to how sensitive it is, and the harm that would result because of unauthorized access.
As you can see, there are a lot of rules. And they are REQUIRED to be followed.
I’m Not In California, So Why Does Their Consumer Privacy Act Apply To Me? Continue to Part 2 of the Privacy Act Series.