The California Consumer Privacy Act, or CCPA, extends California consumers’ privacy rights by giving those consumers more control over their personal information.
The CCPA takes effect on January 1, 2020, and Cloud4Wi is on it.
A new data privacy law in California
Protecting customer data and privacy is a fundamental and essential requirement of running a business. Back in May 2018, we saw the introduction of the European data privacy law known as the General Data Protection Regulation (GDPR). In January 2020, a similar privacy law known as the California Consumer Privacy Act (CCPA) will come into effect. Although the law continues to be amended by the California legislature, there are some things you should be aware of if you conduct business in California. If you’ve worked on complying with the GDPR, you’re in good shape to meet some of the CCPA requirements. Otherwise, it’s time to prepare.
On this page, we'll walk you through the basics of the law, and some of the most relevant parts for Cloud4Wi customers. As the January deadline draws nearer, we'll create more product-specific resources to help you meet some of the CCPA's requirements. Although most Cloud4Wi customers won’t need to make changes because of the CCPA, it’s important to find out if you meet the specific requirements.
Disclaimer: This website is neither an exhaustive summary of the California Consumer Protection Act (CCPA) nor legal advice for your company to use in complying with it. Instead, it provides background information to help you better understand the CCPA and how it can apply to your business. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so you should consult an attorney if you’d like advice on your interpretation of this information or its accuracy. You may not rely on this paper as legal advice, nor as an endorsement of any particular legal understanding. You may read more about recent movement toward a federal data privacy law here and here. Cloud4Wi is and will continue monitoring both the development of federal privacy legislation as well as subsequent amendments to the CCPA, and continue to update this page as necessary.
What is the CCPA?
The California Consumer Privacy Act (CCPA) establishes and enhances consumer privacy rights for California residents and imposes rules on businesses that handle their personal information. The CCPA is the most extensive consumer privacy legislation passed in the United States to date. It goes into effect on January 1, 2020, and the California Attorney General is expected to issue regulations clarifying certain provisions of the CCPA before then.
Does the CCPA apply to my business?
The CCPA applies to any for-profit entity doing business in California that collects and controls the processing of a consumer’s personal information (“controllers”) and also satisfies ANY one of the following thresholds:
- Exceeds $25 million gross revenue annually,
- Handles the personal information of 50,000 or more California consumers, households, or devices annually, or
- Derives more than 50% of annual revenue from selling consumers' personal information.
The CCPA also applies to any business that controls or is controlled by an entity that meets one of the above criteria and shares common branding with that entity. For example, non-profit organizations won’t need to comply with the CCPA unless they are owned by, control, or share branding with a for-profit business.
Who and what does the CCPA protect?
The CCPA protects privacy by affording Californians the right to access, delete, and opt-out of the sale of their data. The CCPA protects “consumers,” which are broadly defined as California residents. “Consumers” extends to both California residents currently in the state and those traveling outside of the state. They encompass customers of goods and services, employees, and business-to-business transactions.
You might be wondering what type of data is protected. Right now, the data covered can be broadly described as all data collected on consumers. You can think of it as data that directly or indirectly, identifies, describes, or can reasonably be linked to a particular consumer or household. For example, commercial internet activity information and any inferences drawn about a consumer apply. There’s currently a non-exhaustive list of specific categories of personal information defined in section 1798.140 of the law.
Important requirements under the CCPA
The CCPA grants consumers rights to know what personal information a business sells, discloses, or collects about them as well as the categories of third parties who purchased or received their data. Consumers have the right to obtain a copy of personal information collected about them by making “verified consumer requests.” Customers then have the right to transmit the information from one entity to another.
Consumers can request that a business delete any of the personal information that the business has collected from them. The CCPA creates certain exceptions to this deletion right, like when personal information is necessary to perform a contract or complete a transaction.
Consumers are given the right to opt-out of the sale of their personal information, and the CCPA prohibits businesses from discriminating against consumers that exercise their opt-out rights. Companies cannot ask consumers to sign contracts that limit their data privacy rights under the CCPA. This includes contract provisions limiting or waiving the right to a specific remedy or means of enforcement for an alleged violation.
Internal expectations for your business
Responding to consumer rights requests: Businesses must implement processes to respond to verified consumer requests and opt-out requests. For example, responses to customer requests must cover the 12-month period preceding the request, so companies must have a way to date the data they collect.
Access and portability: Businesses must make at least two methods for submitting requests available to consumers including, at a minimum, a toll-free telephone number and a website address if the business maintains one. Businesses must respond to consumers requests for information within 45 days of receiving a request, which may be delivered by mail or electronically in a portable format. However, for online-only businesses, one proposed amendment to the CCPA allows them to make, at a minimum, only an email address available for submitting requests for information. You may track the status of this amendment here.
Deletion: If requested, businesses must delete the consumer’s personal information from its records unless maintaining the information is necessary to complete a transaction, for security or fraud-prevention purposes, or another purpose listed in the Act.
What happens if I don’t comply with the CCPA?
The Act is enforced by the California Attorney General, and currently provides businesses 30-days to comply if accused of noncompliance. However, a proposed bill removes this time period and allows for enforcement immediately. Civil penalties may be imposed of up to $2,500 per violation or $7,500 for intentional violations. The CCPA extends a private right of action to consumers, giving businesses exposure not only to government fines but also to lawsuits from customers.
Cloud4Wi enables your business to meet the CCPA’s requirements.
There is and will likely continue to be a significant amount of overlap between the CCPA and the GDPR. Cloud4Wi has extensive resources on GDPR, including this playbook, that explain our product and system features and functionality used by us and by our customers to support compliance with GDPR.
A good portion of the existing product and system features, processes and policies (that are currently used for GDPR compliance) can be used in the same ways for compliance with CCPA (in whatever final form). Example: you may handle Access and Deletion Requests (these are currently requirements under both bodies of law) by using our existing functionality.
We will provide more information on our official CCPA playbook or other resources once the CCPA is finalized and as they become available.
PROTECTING YOUR DATA
Cloud4Wi does not and will not buy or sell personal information. Our business is built on providing world-class first-party data collection tools and insights into your data; not on re-selling or enriching that data.
PROVIDING NEW RIGHTS & REQUESTS
The CCPA gives California consumers new rights over their personal information. This includes the right to access personal information, the right to have personal information deleted, and the right to control the sale of personal information to third parties.
MEETING CCPA REQUIREMENTS FOR CONSUMERS
Cloud4Wi Dashboard and APIs allow you to meet consumers’ requests for access. Using the Cloud4Wi Dashboard or the APIs, you can delete personal information, understand the categories of data collected, and get copies of the data Cloud4Wi has processed on your behalf.
HELPING YOU MEET YOUR COMPLIANCE OBLIGATIONS
Cloud4wi is prepared and able to help you meet your CCPA compliance obligations. When you use Cloud4Wi to collect or process personal information, Cloud4Wi acts as a “service provider” and is prepared to sign a the data processing agreement that cements our role.
Cloud4Wi is Built for Privacy and Security
Cloud4Wi's platform and interface were built with privacy and security in mind.
OPTION TO OPT-IN OR OUT
Cloud4Wi's flexible opt-in/opt-out features and data processing controls allow you to meet your privacy obligations by not tracking or collecting information from users who have not consented for tracking or collection.
CUSTOM DATA COLLECTION
Cloud4Wi's implementation features allow you to customize the data you collect from your customers so you can limit the amount of personal information you collect (or not collect any at all).