Expresso® now enables support of the California Consumer Privacy Act of 2018 (“CCPA”), which became law beginning January 1, 2020. CCPA grants (“CA”) CA Consumers certain rights with respect to their “personal information.” CCPA can only be purchased with a Basic or Silver Expresso Subscription. The CCPA is a rights-based regime with numerous prescriptive due process obligations.
The CCPA grants a Consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
The CCPA grants a Consumer a right to request that a business that sells the Consumer’s personal information (“PI”), or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The CCPA requires a business to provide this information in response to a verifiable Consumer request.
The CCPA authorizes a Consumer to opt out of the sale of PI by a business and prohibits the business from discriminating against the Consumer for exercising this right, including by charging the Consumer who opts out a different price or providing the Consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the Consumer’s data.
A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer upon a verifiable request.
A business shall not discriminate against a consumer because the consumer exercised any of its rights under the CCPA.
Unlike HIPAA, the CCPA allows for a limited private right of action, which is “lawyer-speak” for the fact that an individual Consumer can directly bring an action, instead of just the CA Attorney General. That said, the fines on suits brought by individuals are limited to USD $100 to $750.
The CCPA authorizes businesses to offer financial incentives for the collection of PI. CCPA prohibits a business from selling the PI personal of a Consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt-in.
The CCPA imposes other detailed requirements on certain Businesses that fall outside the scope of the rights. The CCPA is the most stringent state privacy law in the country and may serve as the template for other state privacy laws. If you collect the personal information of California Consumers then you are required to understand these rigorous requirements in order to avoid liability.
The above list is not exhaustive nor does it include the laundry-list of new implicit processes that the CCPA mandates. Without legal training and some basic understanding of tech is if difficult, if not impossible, to discern what the CCPA requires. Our CCPA "Add On" to Expresso® allows you to perform a gap analysis vis-a-vis the CCPA requirements and accompanied by our CCPA Checklist (included in the Add On) provides the road to remediation and compliance.
All of our competitors appear to be stuck on HIPAA because they don't or can't readily support other compliance regimes. Expresso® was built on NIST's Universal Grammar (NIST SP 800-30 Rev. 1) for conducting gap analyses or risk assessments and is therefore capable of support any compliance regime. Expresso® currently supports the HIPAA Privacy & Security Rules, GDPR, and not CCPA. We hope to have PCIDSS, 42CFR, and othe compliance regimes online in 20201.