Developer Guide to the CCPA
Developer Guide to the CCPA
The California Consumer Privacy Act (CCPA) is a landmark data protection law that went into effect on January 1, 2020. This act has introduced new information privacy rights to citizens living in California.
Every company that handles data belonging to California residents is subject to this law. Although it only applies to consumers who reside in California, it impacts companies across the entire nation. The CCPA is the most comprehensive and stringent data privacy law existing in the US.
The CCPA has striking similarities with the General Data Protection Regulation (GDPR), which is the European Union’s digital privacy act. If you are a developer, the chances are that Californian residents are going to interact with your website or application.
Under the CCPA regulation, all sites and apps will be subject to scrutiny; therefore, you need to ensure you are operating on the right side of the law.
CCPA Versus GDPR: Similarities and Differences
The GDPR harmonizes data privacy regulations across the European Union. It has an impact on every business that handles or controls data belonging to EU citizens. For this reason, the GDPR is legally binding for companies with global operations, whether located inside or outside Europe, as well as international websites.
The CCPA is still new, and there could be more changes before 2022. We are yet to see what the final version will incorporate. But as the two laws stand today, they both oblige organizations to be transparent and act in the best interest of consumers when handling their data and information. Businesses must disclose the information they collect about people and inform them about their rights.
Penalties for the violation of the GDPR reach up to 4 percent of the organization’s annual global turnover or €20 million, whichever is greater. Theirs is also a commitment to apply administrative levies proportionately.
The CCPA fines come per violation, the maximum for intentional behavior being $7,500 per count. Should someone take civil action after a breach, your business will pay between $100 and $750 per consumer per incident.
If you’re already GDPR compliant, you might find complying with the CCPA smoother. However, you shouldn’t assume that compliance with one will suffice the requirements of the other. Terminology and the conditions for violations and consequences may differ.
Under the CCPA, for example, businesses have a 30-day window to resolve violations and inform consumers about them. There are no sanctions for non-compliance. On the other hand, the GDPR can apply sanctions when they find organizations at risk of a breach or acting irresponsibly. There is no grace period for rectifying violations.
What Developers Need to Know About the CCPA
Generally, this legislation aims to give consumers based in California more control over their data. It enables a California resident to access all the information that a company has related to them.
The consumer can grant or revoke permissions to that data, effectively dictating how businesses use their information. Considering that California residents may end up interacting with your site, every developer should thoroughly study this act.
Here’s an overview of what the CCPA entails.
The Core Principles of CCPA
CCPA concentrates on three main principles.
Transparency. One of the main areas that the CCPA focuses on is transparency. The act gives consumers the right to know which of their data businesses collect and how they use it.
If a company distributes or sells such data, consumers should know who it gets shared with. As a developer who interacts with customer data, the CCPA requires you to provide the consumer with all of these answers on request.
Control. The CCPA enactment grants Californian consumers the right to sign out of any agreement they make regarding the sale of their data. As a developer, you should give your customers the right to view their data, erase it, and get compensated if a data breach occurs.
Data Security. The CCPA requires you to take adequate steps to protect consumer data. If your company fails to comply with this law, and customer data gets exposed intentionally or unintentionally, misused, or stolen, you might face penalties or civil suits.
Are You CCPA Compliant?
The CCPA took effect on January 1, 2020. However, the California Attorney General (CAG) will enforce the act starting July 1, 2020, or six months after publishing the final regulation.
Sadly, a significant percentage of organizations remain uncompliant. A survey by IAPP and OneTrust conducted between July and August 2019 showed that only 2 percent of the respondents were confident of full CCPA compliance.
On investigating why companies were finding it hard to comply, Compliance Week came up with the following findings.
Steps to CCPA Compliance
The infographic below highlights the steps organizations can follow to comply with the CCPA.
If you want your business to become CCPA compliant, follow the steps below.
To become compliant, you should know what information the site you develop is collecting and where it stores it. You must map the flow of data in your website, create an inventory, and have a method to classify the different information you collect.
Note that according to the CCPA, data doesn’t have to be directly related to an individual for it to qualify as personal information. Personal data may also include information linked to a household or an individual’s device. Your site should be able to track all the data it collects.
Inform Your Website Users
Be sure to store all the records of consent. You should also have a prominent button on the site to notify the consumer that they have the option to opt-out of an agreement.
Respond to Consumer Requests
Since consumers have the right to make different requests concerning the data you collect, you need to make sure you aren’t ignoring or missing any requests. You should have a form where a consumer can initiate a request.
Develop a system that verifies the legitimacy of requests and create a dedicated email for receiving all requests. You should also include a function on the user account where the consumer can access and download the report with ease.
Limit Data Collection
CCPA requires businesses to collect minimal data that they need for a specific purpose. Your website should, therefore, have a function that analyses data to ensure it only pulls what’s necessary. If you don’t need some particular information like personally identifiable details, don’t ask for it.
Ensure the Security of the Data You Collect
You should put in place adequate measures to guarantee the security of consumer information. You can achieve this by developing a highly secure and quality website. You can also take steps such as data encryption, limiting data access, performing periodic penetration tests, updating your site, using website security monitoring services, and utilizing firewalls.
Even if you don’t operate in California, people who live there might use your website at some point. As a developer, you need to study the CCPA to understand what you need to do to stay compliant.
Complying with the CCPA will not only shield you from penalties and lawsuits, but it will also make your customers more confident with your site.