Is your company okay? California's Shinshu Law CCPA

Are you familiar with the California state law known as CCPA? It came into effect in January 2020 and applies to any company in California that collects and manages consumer information, regardless of where its business is based. As of July 2020, companies violating the CCPA could face hefty fines, and since some of our clients may be affected, we have researched and compiled information on the state law and the companies it applies to.

What is CCPA?

The CCPA (California Consumer Privacy Act), which translates to "California Consumer Privacy Act" in Japanese, is essentially a state law that strengthens the privacy protection of consumers living in California. This grants California residents the right to control their own personal information. The following are some of the things consumers can control:

• Consumers can ask companies how their personal information is being handled and used, and find out. (This means that companies must provide the information requested by consumers within 45 days.)
• Consumers can refuse to allow companies to provide or sell their personal information to third parties. (This means that companies cannot provide or sell personal information to third parties without permission from consumers who have refused.)
• Consumers can request that companies delete their personal information. (Companies must comply with consumers' requests to delete their personal information.)
• Consumers can expect to receive the same level of service from companies even after exercising the three rights mentioned above. (Even if consumers exercise their rights to request personal information, refuse the sale of personal information, or request the deletion of personal information, companies must continue to provide services as before.)

Furthermore, consumers can exercise their rights against companies that hold their personal information, regardless of whether they have used the company's products or services. Based on the above, companies are now required to respond to consumer demands at any time. In fact, major companies such as Google and Facebook initially opposed this state law. However, due to strong demand from residents, the law was enacted.

Companies subject to CCPA

As mentioned at the beginning, any company that collects and manages the personal information of consumers residing in California may be subject to these regulations, regardless of its business location. However, companies that meet any of the following criteria should be checked, as they may be subject to fines if they violate state law.

• Companies with annual sales of over $25 million
• Companies that handle the personal information of 50,000 or more California residents annually
• Companies that derive 50% of their total revenue from the sale and purchase of personal information (of California residents)

If a parent or subsidiary company meets any of the above conditions, both the subsidiary and the parent company will be required to manage personal information in accordance with state law. Furthermore, even if a company only retains consumers' email addresses through email newsletters, it may still be possible to track them using their IP addresses and identify their addresses, so this should also be confirmed with the management department.

What the target company actually needs to do

Companies are now required to update their privacy policies annually, including details such as the purpose of collection and use of personal information, third parties with whom information is shared, and methods of information trading. Furthermore, when consumers utilize their CCPA rights, companies must clearly define their procedures for verifying their identity before responding. They must also disclose information to consumers utilizing these rights within 45 days. Companies that violate these regulations will receive a notice of corrective action, and failure to rectify the situation within 30 days will result in one violation per consumer, with a maximum fine of $2,500 per violation. (Note: These amounts are subject to change.) Unless companies review and prepare their collection and management methods internally, they may face a flood of inquiries from consumers utilizing these rights in January 2020. It's also important to keep in mind that some consumers may have malicious intent…

bonus

What did you think? Our company also investigated whether our clients, with whom we do business, are subject to this state law, but it's clear that you can't rest easy just because a company doesn't have a base in the United States. While it has made it easier for consumers to manage their personal information, companies cannot ignore this law, as it could result in fines that could jeopardize their business. The GDPR, enacted in Europe, further strengthened the handling of personal information even before the CCPA. While the CCPA and GDPR both aim to strengthen personal information protection, their content and obligations differ, so I would like to write an article about that when I have time.

GO RIDE provides e-commerce website creation and operation services. Please feel free to contact us.Here