The California Consumer Privacy Act, or CCPA, extends California consumers’ privacy rights by giving those consumers more control over their personal information.
The CCPA takes effect on January 1, 2020, and Cloud4Wi is on it.
A new data privacy law in California
Protecting customer data and privacy is a fundamental and essential requirement of running a business. Back in May 2018, we saw the introduction of the European data privacy law known as the General Data Protection Regulation (GDPR). In January 2020, a similar privacy law known as the California Consumer Privacy Act (CCPA) will come into effect. Although the law continues to be amended by the California legislature, there are some things you should be aware of if you conduct business in California. If you’ve worked on complying with the GDPR, you’re in good shape to meet some of the CCPA requirements. Otherwise, it’s time to prepare.
On this page, we'll walk you through the basics of the law, and some of the most relevant parts for Cloud4Wi customers. As the January deadline draws nearer, we'll create more product-specific resources to help you meet some of the CCPA's requirements. Although most Cloud4Wi customers won’t need to make changes because of the CCPA, it’s important to find out if you meet the specific requirements.
What is the CCPA?
The California Consumer Privacy Act (CCPA) establishes and enhances consumer privacy rights for California residents and imposes rules on businesses that handle their personal information. The CCPA is the most extensive consumer privacy legislation passed in the United States to date. It goes into effect on January 1, 2020, and the California Attorney General is expected to issue regulations clarifying certain provisions of the CCPA before then.
Does the CCPA apply to my business?
The CCPA applies to any for-profit entity doing business in California that collects and controls the processing of a consumer’s personal information (“controllers”) and also satisfies ANY one of the following thresholds:
- Exceeds $25 million gross revenue annually,
- Handles the personal information of 50,000 or more California consumers, households, or devices annually, or
- Derives more than 50% of annual revenue from selling consumers' personal information.
The CCPA also applies to any business that controls or is controlled by an entity that meets one of the above criteria and shares common branding with that entity. For example, non-profit organizations won’t need to comply with the CCPA unless they are owned by, control, or share branding with a for-profit business.
Who and what does the CCPA protect?
The CCPA protects privacy by affording Californians the right to access, delete, and opt-out of the sale of their data. The CCPA protects “consumers,” which are broadly defined as California residents. “Consumers” extends to both California residents currently in the state and those traveling outside of the state. They encompass customers of goods and services, employees, and business-to-business transactions.
You might be wondering what type of data is protected. Right now, the data covered can be broadly described as all data collected on consumers. You can think of it as data that directly or indirectly, identifies, describes, or can reasonably be linked to a particular consumer or household. For example, commercial internet activity information and any inferences drawn about a consumer apply. There’s currently a non-exhaustive list of specific categories of personal information defined in section 1798.140 of the law.
Important requirements under the CCPA
-
Individual’s rights
The CCPA grants consumers rights to know what personal information a business sells, discloses, or collects about them as well as the categories of third parties who purchased or received their data. Consumers have the right to obtain a copy of personal information collected about them by making “verified consumer requests.” Customers then have the right to transmit the information from one entity to another.
Consumers can request that a business delete any of the personal information that the business has collected from them. The CCPA creates certain exceptions to this deletion right, like when personal information is necessary to perform a contract or complete a transaction.
Consumers are given the right to opt-out of the sale of their personal information, and the CCPA prohibits businesses from discriminating against consumers that exercise their opt-out rights. Companies cannot ask consumers to sign contracts that limit their data privacy rights under the CCPA. This includes contract provisions limiting or waiving the right to a specific remedy or means of enforcement for an alleged violation.
-
Internal expectations for your business
Making required disclosures: Businesses must notify consumers of their rights under the CCPA, including their right to deletion, right to know, and data portability rights as well as how to exercise these rights. These required disclosures can either be made via privacy policies, in CCPA-specific notices, or at the time the personal data is collected. Companies’ privacy policies must lay out how the collected data will be used. The CCPA imposes obligations for companies that sell a consumer’s personal information and/or the data of children. However, Cloud4Wi customers are not allowed to use our products to sell data or collect childrens’ data. See our Privacy Policy and Terms of Use for more information.
Responding to consumer rights requests: Businesses must implement processes to respond to verified consumer requests and opt-out requests. For example, responses to customer requests must cover the 12-month period preceding the request, so companies must have a way to date the data they collect.
Access and portability: Businesses must make at least two methods for submitting requests available to consumers including, at a minimum, a toll-free telephone number and a website address if the business maintains one. Businesses must respond to consumers requests for information within 45 days of receiving a request, which may be delivered by mail or electronically in a portable format. However, for online-only businesses, one proposed amendment to the CCPA allows them to make, at a minimum, only an email address available for submitting requests for information. You may track the status of this amendment here.
Deletion: If requested, businesses must delete the consumer’s personal information from its records unless maintaining the information is necessary to complete a transaction, for security or fraud-prevention purposes, or another purpose listed in the Act.
Opt-out: Companies that sell data must disclose that they do so to their customers, and include a “Do Not Sell My Personal Information” link giving consumers the opportunity to opt-out both in a privacy policy and on the company’s website homepage. If a consumer opts-out or refuses to opt-in, the business must honor that request and continue to provide equal service and pricing to consumers that opted-out.
What happens if I don’t comply with the CCPA?
The Act is enforced by the California Attorney General, and currently provides businesses 30-days to comply if accused of noncompliance. However, a proposed bill removes this time period and allows for enforcement immediately. Civil penalties may be imposed of up to $2,500 per violation or $7,500 for intentional violations. The CCPA extends a private right of action to consumers, giving businesses exposure not only to government fines but also to lawsuits from customers.
Cloud4Wi enables your business to meet the CCPA’s requirements.
There is and will likely continue to be a significant amount of overlap between the CCPA and the GDPR. Cloud4Wi has extensive resources on GDPR, including this playbook, that explain our product and system features and functionality used by us and by our customers to support compliance with GDPR.
A good portion of the existing product and system features, processes and policies (that are currently used for GDPR compliance) can be used in the same ways for compliance with CCPA (in whatever final form). Example: you may handle Access and Deletion Requests (these are currently requirements under both bodies of law) by using our existing functionality.
We will provide more information on our official CCPA playbook or other resources once the CCPA is finalized and as they become available.
PROTECTING YOUR DATA
Cloud4Wi does not and will not buy or sell personal information. Our business is built on providing world-class first-party data collection tools and insights into your data; not on re-selling or enriching that data.
PROVIDING NEW RIGHTS & REQUESTS
The CCPA gives California consumers new rights over their personal information. This includes the right to access personal information, the right to have personal information deleted, and the right to control the sale of personal information to third parties.
MEETING CCPA REQUIREMENTS FOR CONSUMERS
Cloud4Wi Dashboard and APIs allow you to meet consumers’ requests for access. Using the Cloud4Wi Dashboard or the APIs, you can delete personal information, understand the categories of data collected, and get copies of the data Cloud4Wi has processed on your behalf.
HELPING YOU MEET YOUR COMPLIANCE OBLIGATIONS
Cloud4wi is prepared and able to help you meet your CCPA compliance obligations. When you use Cloud4Wi to collect or process personal information, Cloud4Wi acts as a “service provider” and is prepared to sign a the data processing agreement that cements our role.
Cloud4Wi is Built for Privacy and Security
Cloud4Wi's platform and interface were built with privacy and security in mind.
OPTION TO OPT-IN OR OUT
Cloud4Wi's flexible opt-in/opt-out features and data processing controls allow you to meet your privacy obligations by not tracking or collecting information from users who have not consented for tracking or collection.
CUSTOM DATA COLLECTION
Cloud4Wi's implementation features allow you to customize the data you collect from your customers so you can limit the amount of personal information you collect (or not collect any at all).