California has a new privacy law dubbed CCPA or the California Consumer Privacy Act. This law allows consumers to have more control over their private data. CCPA puts organizations that develop mobile apps on notice. These corporations should take measures of safeguarding private information or face regulatory fines. This law came into effect on Jan 1, 2020, and is considered one of the most stringent privacy laws in the U.S. CCPA allows California consumers to be conscious of what personal information corporations are collecting and selling. Under this law, a consumer can direct companies to delete their personal information and restrict them from acquiring and transmitting their information. Here is a breakdown of the provisions of CCPA.
Who Does CCPA Protect?
CCPA aims to protect individuals. According to the California Code of Regulations, a consumer is any natural person who resides in California. A California resident is any person who is in the State or is domiciled in the State but is outside the State for a temporary purpose. Persons who are in the State for a temporary or transitory purpose do not qualify as California residents.
The CCPA applies to businesses that gather personal information from consumers and operate in California for-profit or the financial gain of their shareholders. To be subject to this law, businesses must meet the following criteria:
- Make an annual revenue of $25 million
- Buy, receive, sell, or share the personal information of 50,000 or more consumers for commercial purposes
- Earn a revenue of 50% or more from selling consumers’ personal data
What is Considered As Personal Information?
The CCPA defines personal information to be any information that describes, identifies, relates to, or can be associated with, either directly or indirectly, a particular consumer. CCPA has the following classifications of personal information:
- Identifiers: Name, unique personal identifier, email address, social security number, account name, passport number, driver’s license, and other related identifiers
- Information on customer records: These includes telephone numbers, address, social security numbers, medical information, any other related information
- Protected classifications under federal law: Race, gender identity, sexual orientation, and religion
- Commercial information: Information on purchases obtained, personal property, and other consuming histories
- Education information:
- Professional/employment-related information
- Geolocation data:
- Internet or electronic network information: search and browsing history, and any related data.
- Audio, visual, electronic, olfactory, or other related information
- Biometric information: fingerprints, hair color, voice, facial recognition, or any related data
- Inferences: Some of the inferences that can be used to develop a profile that matches a consumer include characteristics, aptitudes, behavior, psychological trends, predispositions, and intelligence.
What Is Not Personal Information
The CCPA also defines what should not be considered as personal information. This includes public information that is contained by local, state, or federal records. The types of information that are exempted from CCPA regulations include medical and financial information, which is regulated by HIPAA (Health Information Portability and Accountability Act).
How Does It Apply To Mobile Phones
The introduction of CCPA and other privacy legislation demonstrates the importance of data privacy to both consumers and politicians in America. This is why mobile app business owners, developers, legal, risk and compliance, and security teams should be keen on how their applications gather, transmit, and store sensitive information.
Mobile applications typically collect vast amounts of personally identifiable information like names, usernames, and mobile-specific data like a device’s serial number, geolocation, and mobile advertising tracking. The CCPA law impresses upon mobile app developers to adopt privacy and security measures in their development processes and test their mobile applications for the risks of privacy and security to avoid data exposures.
Under CCPA, mobile devices are considered to be endpoints. Businesses are required to protect 60% of their company’s endpoints. CCPA also insists on on-device instead of cloud-based protection for mobile devices. Businesses should protect mobile devices against network, phishing, device, or any other attacks.
Penalties Under CCPA
Under the CCPA, a company is liable to pay up to $750 for every consumer and for every incident. Consumers are entitled to sue a company that has been breached because of their weak security standards. However, before taking any action against the company, the consumer has to give it a 30-day notice to address the breach. The California Attorney General is also capable of penalizing companies for CCPA violations. The penalties range from $2,500-$7,500 per violation.
If you are a mobile app owner or developer, you should ensure your applications meet the CCPA criteria or face harsh penalties. It would be best if you put in place security measures in the development phase of your applications to avoid attacks that target client information. Consumers now have a right to ask organizations to delete their information and can even sue a business after a significant security breach. CCPA has paved the way for more data protection laws that are projected to offer additional protection to mobile consumers.