CCPA Compliance
CCPA Compliance and Our Readiness:
We invest in our security team to meet CCPA obligations vigilantly.
Our team carries out a fair and transparent data collection and selling process.
We grant every individual a right to know about the usage of their data in our company & marketing purpose.
We make sure to take consent before sending any marketing emails and offer opt-out option along with it.
If you want your data changed or deleted, we are responsible for taking relevant action immediately.
We ensure our data inventory process are up-to-date as new consumer information is collected & deleted.
We also ensure consumers who opted out of the sale of their PI are not asked for re-consent within 12 months.
To comply with the CCPA rules, we have also updated our Privacy Notices, Policies, and Third-Party Agreements.
Our team implemented several protocols to ensure consumer rights.
Our employees are trained to handle consumer requests on the businesses pertinent privacy policies.
We guarantee that only the official and authorized person can access the individual’s personal information.
All the consumer personal information is in an encrypted format and password-protected.
Our data security team continuously monitor the data for breaches and notify you if we find any.
We comply with several other standards and regulations, including GDPR.
We are an esteemed member of the Direct Marketing Association and BBB Accreditation with a rating of A+.
Business is clearly subject to the CCPA only if it
- Does business in California
- Is profit-oriented
- Collects consumer’s personal information (PI)
- Defines the purposes and means of processing consumer’s PI
Besides, the CCPA applies to a business that
- Earns annual gross revenue more than $25 million
- Buys, receives, sells, or shares PI of 50,000 or more consumers, devices, or households for commercial reasons.
- Gains 50% or more of its yearly revenue from selling consumer’s PI.
The CCPA does not apply to the following businesses
- Personal information gathered, handled, sold, or disclosed per the California Financial Privacy Information Act or Gramm-Leach-Bliley Act.
- Medical information gathered by an entity governed by the California Confidentiality of Medical Information Act (CMIA), Health Insurance Portability and Accountability Act or information collated for clinical trials.
- The selling of PI to or from a consumer reporting agency which has to be reported in or employed to produce a consumer report.
- Cooperation with law enforcement agencies or exercising/defending legal claims.
- Efforts to comply with state, federal, or local law.
- A criminal, civil, or regulatory investigation; or a summons or subpoena.
- Data collated, treated, sold, or disclosed in accordance with the Driver’s Privacy Protection Act [DPPA] of 1994.
Businesses it complies
- The GDPR is applicable to all firms that process data of EU citizens, regardless of their locality or size.
- The CCPA is marginally narrower in its scope. It applies only to California-based businesses which have revenue more than $25 million or those whose primary business is the sale of PI.
Consumer Rights
- The GDPR is precisely fixated on all data related to the EU consumer/citizen.
- The CCPA considers both the consumer as well as household as identifiable entities whereas, in a few cases, it only considers data given by the consumer as opposed to data obtained or acquired from third-party vendors.
Enactment and Enforcement
- The GDPR was accepted in April 2016 but became enforceable on May 25, 2018
- The California Consumers Protection Act goes in effect on January 2020, where it may get more descriptive on the way. At present, CCPA looks like it was formed as a response to the recently publicized cases of personal data misuse.
Data Encryption
- Both GDPR and CCPA makes data encryption as an indispensable privacy protection module for businesses.
- Under both the laws, if a company suffers from a data breach, but if it’s in an encrypted form, some of the company’s responsibilities are abridged.
Penalties
- The GDPR commands stricter penalties for non-compliance or data breach, which can range up to 4% of the business’s annual global turnover or 20 million euros (whichever is greater).
- Under CCPA, fines are applied per violation (penalty of a maximum of $7,500 per violation), is unsealed, and there are deceptively no authorizations for non-compliance.
- Name, personal identifier, account name, IP address, mailing address, email address, Social Security number, passport number, and driver’s license number.
- Geo-location data
- Biometric information
- Personal information defined by California’s records destruction law (Cal. Civ. Code § 1798.80(e)), which includes physical characteristics or description, signature, telephone number, education, employment, insurance policy number, financial account information, and employment history Individualities of protected classifications in California or federal law Commercial data, including personal property, products, or services acquired, considered, or other buying or consuming histories or tendencies Internet or electronic network activity, including browsing history, search history, and consumer’s interaction with a website, application, or commercial Audio, visual, thermal, electronic, olfactory, or related information Professional or employment-related data Education information which is not freely available personally identifiable data, as declared in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99)
- Individualities of protected classifications in California or federal law
- Commercial data, including personal property, products, or services acquired, considered, or other buying or consuming histories or tendencies
- Internet or electronic network activity, including browsing history, search history, and consumer’s interaction with a website, application, or commercial
- Audio, visual, thermal, electronic, olfactory, or related information
- Professional or employment-related data
- Education information which is not freely available personally identifiable data, as declared in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99)
- The right to know about their personal information being collected by business: This rule requires firms to be transparent to their consumer about the personal information gathered and its usage.
- The right to appeal the categories of information a business collects upon provable request: This rule grants a right to the consumers to request a disclosure of the categories and certain pieces of PI that a company collects, the source categories from where the data has been received, the business motive for amassing or selling the information, and the categories of third-party vendors with whom the information is shared.
- The right to know the type of personal information collected about consumers: This rule requires businesses to disclose the PI collected about the consumer and the purposes for which it is used.
- The right to express “NO” to the sale of PI: It allows consumers to opt-out of the sale of PI by a business and also prohibits the company from being discriminative against the consumer for exercising their right, such as charging the different price or providing a distinct quality of goods or services to the people who opts out, except if the variance is sensibly related to value offered by the consumer’s data. This rule also prohibits a company from selling the PI of a consumer below 16 years of age, unless positively approved.
- The right to delete the personal information: This rule grants consumers with the right to request deletion of PI. It also forces businesses to delete personal data upon receiving a verified deletion request.
- The right to equal service and price, although the consumers follow privacy rights: This authorizes businesses to propose financial incentives for the collection of PI.