Although that California Consumer Privacy Act (CCPA), or as it has been called by lawyers “the Californian GDPR”, is narrower than GDPR and does not provide such full-scope regulation of personal data protection relationships it has some certain undeniable strengths and advantages.
1. Tell the consumers what privacy rights they have.
- rights of consumer whose personal information is collected by the company;
- rights of consumers whose personal information the company sells or otherwise discloses for business purposes;
- consumers` rights to against discriminate, as well as consumers’ rights to participate in various company loyalty programs.
Such a requirement is quite similar to the GDPR requirement, which states that the controller should provide information regarding the processing of personal data of the data subject in a concise, transparent, understandable and easily accessible form, but provides more details.
2. CCPA requires to specify what consumer information is collected.
Another requirement of the Californian GDPR is the company`s obligation to provide a comprehensive list of personal information that the company collects about a particular type or about consumers as a whole.
While providing a definition of personal information, the Act specifies that, including, but not limited such types of information shall be treated as personal information:
- identifiers such as a real name, alias, postal address, unique personal identifier/
- online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- biometric information.
- internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- geolocation data.
- audio, electronic, visual, thermal, olfactory, or similar information.
- professional or employment-related information.
- education information, defined as information that is not publicly available personally identifiable information.
- inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
We would like to emphasize that the list of such information shall relate to the 12-month period preceding the consumer`s request. This requirement differentiates GDPR, where the controller is not limited by a fixed term under a similar obligation.
3. If you sell or otherwise disclose personal information of consumers, CCPA requires you to reveal this fact.
Analysis of the provisions of the CCPA clearly provides that it is going to be adopted, in majority, to govern the relations regarding the sale of personal data. Therefore, very serious attention of CCPA is given to these issues.
However, the Act acknowledges the possibility that certain companies will not sell information to their customers or disclose this information for commercial purposes. Such companies are required to clearly indicate in their privacy policies that they do not in any way sell or disclose personally information to their customers for commercial purposes.
4. What are the means of communication required by the CCPA?
This requirement of the CCPA reflects well the conservative nature of the US legal system as a whole. Thus, under the provisions of CCPA draft text, a company is required to make two or more communications tools available to consumers, including as minimum:
- at least a toll-free telephone number;
- if the business supports the Internet site, the website address.
Compared to GDPR, which generally states that a data subject should be able to obtain information in a concise, transparent, understandable and easily accessible manner, the California Consumer Privacy Act clearly details the requirements for companies and imposes a clear minimum for the means of communication that should be available.
5. CCPA needs you to update Your policy!
The policy should contain the date of the last update. Likewise, it would be a benefit for the policy if it will contain the provision regarding policy updating at least every 12 months. Such mechanism serves to constantly maintain the relevance of the company’s policy and the compliance tone.
At the same time, companies may not be limited to the above list and have the right to amend their policies with other information they deem appropriate (for example, the consumers` requests application and reviewing procedure, the consumer’s request verification procedure etc.).