You may have heard about the data rights introduced under the GDPR, but what’s the difference between those and the new rights introduced under the California Consumer Privacy Act (CCPA)?
The CCPA applies to any business that serves customers based in California and processes and profits off of their personal data on a large scale.
While its laws are quite similar to those of the GDPR, the CCPA has a narrower focus on the types of organisations and data processing it regulates.
In this article, we’ll break down the CCPA’s “Right to Know” and “Right to Deletion” and what it means for online businesses.
What is the Right to Know?
Under Section 1798 of the CCPA, the Right to Know (sometimes called “The Right to Notice”) states that consumers have the right to request a business to disclose whether they collect any personal information about them; what types of information is being collected; how they use the information; and the purposes for which their data has been collected.
The CCPA stipulates that businesses must inform consumers at or before the point at which their data is collected.
In addition to informing customers upfront about their data collection practices, a business must provide access to any information that they have collected about their customers, should they receive a “verifiable request” to do so.
That is, a business can only provide access once they have verified that the person making the request is truly the customer to whom the information belongs.
What is the Right to Deletion?
The Right to Deletion states that, under certain conditions, consumers have the right to request the deletion of any personal information that a business has collected about them.
Here, the definition of “deletion” can include:
- The permanent and complete erasure of personal information on a business’ existing systems (excluding any archived or back-up systems)
- The de-identification of personal information
- Aggregating personal information (presenting data in a summarised format).
A business must notify their customers of their Right to Deletion, and if a customer submits a request to delete their data, the business must respond within 45 days.
Similar to the Right to Know, a business can only go ahead with deletion once they have confirmed that the person who made the request is who they say they are (or can prove that they are authorised to do so on the customer’s behalf).
Requesting that your data is deleted isn’t as simple as it sounds, however: a customer can only do so successfully under limited circumstances, and there are numerous exceptions that could allow a business to keep your data.
For example, a business may need to retain your information in order to fulfil a warranty claim; provide their products and services; or comply with other legal obligations.
What do the new laws mean for online businesses?
To comply with the CCPA, businesses must take a proactive approach to protecting their customers’ privacy and rights over their data to avoid getting hit with steep fines or hurting their brand.
While every business’ journey towards compliance is unique, we recommend implementing the following best practices at a minimum:
- Train staff on how to verify, record, and respond to data access and deletion requests in alignment with the CCPA
- Implement data security measures to protect your customers’ personal information
To determine whether the CCPA applies to your business and get tailored advice on achieving compliance, we recommend consulting with a qualified legal professional.