The CCPA in California and How to Comply with It

Everything you need to know if you are a business that needs to comply with the California Consumer Privacy Act (CCPA). 

What does CCPA stand for?

The California Consumer Privacy Act (CCPA) is a law granting Californian consumers new privacy rights. It allows consumers to take back control over their personal information by giving them possibilities to ask businesses which information they are storing about them and which data they currently have. It also gives consumers the right to be informed before personal data is collected. 

In this context, personal information is defined as “information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics”

The State of California Department of Justice divides CCPA into 4 different rights: the right to know, the right to delete, the right to opt-out, and the right to non-discrimination. However, it only applies to businesses having a gross annual revenue of over $25 million, that handle information of 50,000 or more Californian residents, their devices, or households, and those who sell personal information about California residents for at least 50% of their annual revenue. Government agencies and nonprofit organizations do not have to apply with CCPA regulations. 

The CCPA requirements:

The right to know means that upon consumers’ requests businesses must disclose what information they have collected on the consumer and for which purposes. Utilized information includes both the selling and sharing of personal data. In order to comply with the CCPA, businesses must provide consumers with this information for the 12-month period prior to their request and free of charge. For further details, look up the webpage of the State of California Department of Justice. 

The right to delete allows consumers to request the deletion of previously collected personal information. Some businesses can keep personal information on consumers under certain circumstances. 

By exercising the right to opt-out, consumers can instruct businesses to stop selling their personal information. Unless consumers provide authorization to allow businesses to do so again, businesses lose their permission to sell consumers’ personal information after their opt-out request. Further, businesses have to wait 12 months before they can request to sell your personal information again. 

The right to non-discrimination means that a business cannot discriminate against consumers for having requested their rights under the CCPA. In some cases, a business may not be able to comply with a consumer’s request, for example, if their personal information is necessary for the business’ services. Additionally, a business may offer consumers a financial incentive to keep using their data.   

If a business collects, processes, or stores the personal information of California consumers, they must comply with the CCPA as failure to do so could result in significant fines.  

How does it interfere with CalOPPA?

The California Online Privacy Protection Act (CalOPPA) was the first state law in the U.S. to require commercial websites and online services to post a privacy policy on their websites. CalOPPA’s reach was later extended to include mobile apps.  The CCPA is much broader in scope than CalOPPA, regulating any business that collects, processes, or stores the personal information of California consumers, regardless of where the business is based. The CCPA also gives Californians new rights with respect to their personal data as described above. It is important to note, that the CCPA did not replace the CalOPPA. Depending on one’s business or website in general, they will need to comply with either one or both laws depending on whether they reach Californian customers or not.  

How does MDM help businesses comply with CCPA? 

There are a few key ways in which mobile device management (MDM) can help businesses comply with the CCPA.  

First, by using MDM to deploy and enforce privacy policies on devices, businesses can be sure that their employees are aware of how their personal data is being used and handled by their company. This is important as one of the key requirements of CCPA is that businesses provide clear and concise information to consumers about their rights under the law.  

Secondly, MDM can be used to remotely delete data from devices if it is no longer required or if the consumer requests that their data be erased. This helps to ensure that personal data is only kept for as long as necessary and reduces the risk of unauthorized access or disclosure.  

Moreover, it is possible to separate work and private life on the mobile device. This makes sense if employees use their devices for both private and business purposes.  The areas are segmented in a way that ensures that they are not mixing. Switching back and forth, however, is seamless, and the simple and quick commissioning and management of devices, including the allocation of rights and the distribution of the required apps, saves time and simplifies administrative work. Thanks to the ability of central administration, IT administrators avoid unhappy employees who have difficulties setting up their devices.   

When it comes to meeting the requirements of the CCPA, MDM solutions can play a key role. MDM provides businesses with visibility and control over all the devices in their fleet, including both corporate-owned and BYOD devices, and since CCPA applies to any type of data that could be used to identify a consumer – wherever it is stored – having an MDM solution is essential for promoting compliance. 

Conclusion

When it comes to meeting the requirements of Californian legislation such as the CCPA, MDM solutions like Cortado are a valuable asset. 

MDM solutions can help businesses remotely manage and monitor the data on devices within their fleet, ensuring that only authorized individuals have access to sensitive information. In addition, many MDM solutions include features like data encryption and password protection, which can further safeguard data, and such also benefits the company since it reduces the risk of having their data attacked.