What you Should Know about the CCPA

1. Le calendrier réglementaire

2. Les Objectifs d'IDD

Ambitions de la directive IDD
Opportunités de la directive IDD
Objectifs de la directive IDD

4.  La réalité du marché et nos convictions

The CCPA is designed to protect California residents’ personal information from the threats of unwanted disclosure, sharing, or sale. A key objective of the CCPA is to prevent situations like the recent event involving Cambridge Analytica gaining access to personal information of approximately 87 million Facebook users without their consent.

 

Even if the CCPA is California law, it impacts businesses, independent of where their operations are located, that collect, share or sell personal information of California residents. These individuals could be consumers as well as potentially employees or independent contractors. According to experts in a recent article published on Bloomberg BNA, the CCPA will apply to over 500,000 businesses servicing approximately 40 million California residents. This law is the first one of this kind in the US, but other states could follow this trajectory in the new few months and years.

Companies are investing heavily in Digital technologies and Big Data. The volume of personal information collected has been increasing significantly in the last few years and will continue in the upcoming years. Indeed, the collection of personal information has become a significant asset for companies as part of cost reduction, customer journey personalization and broad competitiveness. 

Personal information is used by numerous departments and can be collected through various channels and technologies. 

 

>> The protection of personal information is paramount and the rights granted to individuals reinforced.

New Consumers' rights

The CCPA will confer new rights upon Californian residents, which have to be notified by businesses to the consumers and addressed in policies. This is going to introduce new cross functional processes through business departments.

The right of Californians to know (a) what personal information is being collected about them and (b) whether their personal information is sold or disclosed and to whom.

Right to Know

The right of Californians to prohibit the sale of their personal information (“opt-out”) and the need to authorize such a sale for individuals 16 years-old or younger (“opt-in”).

Right to Opt-out, Opt-in

The right of Californians to access their personal information held by businesses or their third parties.

Right to Access

The right of Californians to not be discriminated against when exercising their privacy rights.

Right to Equal Service and Price

The right of Californians to request businesses to delete their personal information, subject to certain exceptions like the need for the business to comply with legal obligations.

Right to Request Deletion

The right of Californians to seek statutory damages from businesses in case of violations. Statutory damages range from $100 to $750 per consumer per incident or actual damages, whichever is greater. 

Right to Seek Damages

Business Requirements and Prohibitions 

To help enforce these rights, the CCPA imposes requirements and prohibitions on businesses that collect or sell personal information:

  • Disclosure Requirements: Upon receipt of a verifiable consumer request, businesses will be required to disclose:

    • The categories and specific pieces of information that they collect about the consumer

    • The categories of sources from which that information is collected

    • The business purposes for collecting or selling the information; and

    • Categories and identify of third parties with which the information is shared.

  • Deletion Requirements: Upon receipt of a verifiable consumer request, businesses will be required to delete the personal information as long as it does not interfere with the legal obligations of the business.

  • Opt-out Requirements: Businesses will be required to grant a consumer’s verified request to opt-out from the sale of their personal information.

  • Opt-in Requirements: Business will be required to seek affirmative authorization for selling the personal information of consumers under 16 years of age.

  • Discrimination Prohibition: Businesses will be prohibited from discriminating against customers who exercise their personal information-related privacy rights. Businesses will have the ability to offer financial incentives for the collection of personal information.

What business need to do? 

Businesses first need to assess the CCPA’s applicability to their operations. Use this link to go to the page "Are you impacted?.

Once the need to comply with some or all of CCPA sections is confirmed, businesses need to assess whether their existing data privacy and information security policies, procedures and practices are sufficient to meet the CCPA requirements.

Our experience working with clients to establish resilient and sustainable data privacy and information security capabilities that are compliant with regulatory expectations demonstrates that the effort can be organized across the following areas:

The success of the CCPA compliance project relies on an organization’s ability to mobilize its workforce and create a long-term solution based on a sound corporate culture and effective governance.

Need more information?