California Data Privacy Law: Guide for Startups
Building an effective data policy as a startup in California requires an understanding of the evolving data policies. The California Privacy Rights of 2020 is currently set to replace the California Consumer Privacy Act of 2018. Therefore, you must build your data privacy around these new rules to maintain compliance and build trust with consumers.
This article compares the California data privacy policy changes and other critical factors to adopt when creating an excellent data privacy policy for your startup in California.
Let’s get started.
The Ccpa vs. Cpra
The California Consumer Privacy Act (CCPA) is a statewide privacy law regulating how for-profit businesses worldwide manage California residents’ sensitive data. It gives users the right to opt-out of selling their personal information, delete, and request disclosure of the data collected.
Under the CCPA, personal information (PI) includes name, postal address, and social security numbers. It also consists of consumers’ cookies, IP addresses, account names, location, browsing history, etc.
The California Privacy Act of 2020 (CPRA) will take effect on January 1, 2023. Like the CCPA, it applies to for-profit organizations in California and others worldwide, offering services to California residents. Its regulations support the CCPA, but it updates many of them and introduces new policies. Osano’s guide to CPRA is an excellent resource for learning more about complying with the new data privacy guidelines.
How CCPR Differs from CCPA
Below are the main differences between the CCPR and CCPA. When building your data privacy to comply with the new governing policies, keep these changes in mind.
1. a Slight Change to Those Affected
The CCPA affects businesses that sell the data of more than 50,000 California residents yearly or makes an annual gross revenue that exceeds $25 or generates above 50 percent of their yearly income selling California’s residents’ data.
On the other hand, although the CCPR applies to companies with above $25 million annual revenue and 50% yearly revenue from selling consumers’ data, it applies to companies who sell the data of over 100,000 California residents, doubling what the CCPA requires.
2. There’s an Update on Personal Information
Personal information under the CCPA includes direct information (including real name, alias, address, and social security number) and Biometric data (face and video recordings).
Additionally, it provides geolocation information (location history), internet activity (browsing and search history), and sensitive information ( behavioral and personal characteristics, health, employment data, sexual preferences, etc).
On the other hand, CCPR updates and includes other factors such as personal information. This consists of Government ID (Social Security numbers, passports), geolocation, sexual orientation, and genetic information. It also entails financial information (access codes and credit cards), communications (passwords, etc.), race, and religion.
3. It Provides Greater Control Over Your Personal Information
While the CCPA gives users the right to opt-out of businesses selling their personal information, the CCPR gives them the right to tell companies not to sell their data.
Additionally, you must include a link on your homepage with “Limit the Use of My Sensitive Personal Information.” This gives consumers the right to control how they use their data as a business.
4. It Gives Minors Greater Control Over Opt-In
The CCPA mandates businesses to request opt-in consent to sell the data of California residents below sixteen years. However, companies are expected to wait for another twelve months if a minor doesn’t opt-in under the CCPR.
5. There is a Data Retention Limit
There is a limit to how much data organizations can collect, retain and use under the CCPR. The regulation states that a company can’t keep personal information for other reasons other than the purpose of collection.
Also, they can’t retain it longer than the duration required. Users also have the right to tell a business to delete their data so that organizations can notify the third parties involved.
6. It Doesn’t Allow Retaliation
Businesses are not allowed to discriminate against consumers for exercising their opt-out rights. Therefore, organizations can’t charge higher prices or deny them goods and services.
7. It Allows Customers to Request Data Transfer
Consumers can ask a business to transfer their sensitive information to another entity using a structured, machine-readable format.
Best Practices to Adopt for Adequate Data Privacy
Below are top practices for building excellent data privacy that protects you and your customers in California:
1. Adhere to the CCPA and CCPR policies
A crucial step to a practical data policy is to adhere to the California data privacy policies mentioned above. You can protect users’ data privacy and maintain compliance to avoid sanctions and fines.
Therefore, educate employees about the principles to impact how they gather, store and share your consumers’ data.
Additionally, perform regular audits to ensure the company constantly adheres to data governing policies for standard compliance.
2. Collect Relevant Data only
Collecting sensitive details relevant only to an action a consumer wants to perform reduces the value of your external data. It also makes users trust you better.
Reducing data’s value means hackers are less likely to be interested in breaching your information.
For example, if all they can acquire from you is a bunch of customers’ names and email addresses, they are less likely to go through the hassle of hacking your data.
However, keeping highly confidential information like access codes, location, and household income details makes your company a high target for hackers. So, limit unnecessary information and focus on what is essential.
You also build trust in customers when you stick to the basics. For instance, they are likely to trust you better and put in the required information if you stick to what is relevant to the action they want to perform. If you ask for their names and email address to send a document to them, they are less likely to question your authenticity and input their details.
However, suppose you ask for bank details, postal addresses, and other sensitive information irrelevant to the action. In that case, they will begin to question your validity and may not input their data.
Essentially, limiting information volume will reduce the risk of data breaches. It will also increase users’ confidence in the company. So, before requesting their data, examine how useful it is to the company and their purchase experience. If it’s unnecessary, don’t request them.
3. Be Transparent About the Data You Collect and Use
Promoting employees’ data privacy includes openness about how and where you gather users’ information. So, make these details publicly available by adding them to your privacy policy or website cookie policy.
Apart from obtaining trust from customers, doing this also helps you comply with the CCPR policy. Failure to do this often leads to sanctions, so ensure you notify users about how you obtain their information.
4. Limit Access to Data
Another effective way to achieve data privacy is to restrict those who have access to the company’s data. The more people who can access your data, the higher your data’s vulnerability. For example, if thirty accounts have access to the company’s information, your information is exposed to thirty points of vulnerability.
However, limiting those who have access lowers the exposure of the data to breaches. So, let fewer employers have access to the data. Do this by limiting those who can access information to those that work with it. For instance, the accounting team may not need customer behavior information, while the Human Resources team may not need access to information relating to customers’ financial accounts.
The critical factor here is to put restrictions on those who can manage and control users’ private information. It goes a long way in protecting the data from intrusion and promotes accountability. Since you know the few people who have access, you can hold them responsible if anything goes wrong.
5. Make Public Explanations if Data Breaches Occur
Make public declarations if you experience data loss or notice of unauthorized access to consumers’ data. Back this with an explanation of why and how it happened. Then, inform the public about how you managed the situation and the measures taken to prevent future occurrences. When you do this, you project a positive brand reputation as a company that values customers’ privacy. You also comply with the CCPR regulations to avoid penalties.
6. Do Not Use Data for Unauthorized Purposes
Use customers’ private information for intended purposes. Don’t request their data for a reason and use it for a different purpose. Doing this will lead to a violation of the CCPR policies. It could also reduce consumers’ confidence in your brand. As a result, it will hamper good customer relationships and attract extra expenses from fines and other penalties.
7. Provide Sufficient Processes to Collect and Delete Their Customers’ Private Information
Create a transparent and detailed process that highlights how you collect customers’ data, what you do with it, and how you delete it after use. Your customers want to know these details, so providing sufficient information will show how much you cherish their data privacy.
Conclusion
Creating a successful startup in California requires excellent data privacy that complies with the CCPR’s policies. Therefore, this article compares what the CCPR policy entails and other best practices to consider with building adequate data privacy for your customers.
Nuno
I'm a filmmaker with extensive training in multiple sectors of content creation whose films have been shown all over the world. I have also served as a speaker and jury member in multiple events. Nonetheless, in recent years, I became extremely disappointed with the course of the art world in general, and as consequence, I've developed an interest in topics I believed would become crucial for the future, namely, cybersecurity, self-education, web design, and investing in various assets, such as cryptocurrencies. All those events have driven me to launch RushRadar.