All You Need to Know About the California Consumer Privacy Act (CCPA)
The EU’s General Data Protection Regulation (GDPR) has sparked a global movement aimed at protecting individuals’ data and enforcing stricter regulations on entities processing large amounts of data. While some of these regulations were years in the making, others have taken the GDPR as an example to follow, creating similar laws adapted to their local context. Among these, the California Consumer Privacy Act (CCPA), now considered the most exhaustive and consumer-friendly privacy law in the United States, has been one of the most prominent.
The CCPA came as a surprise to many due to the hasty way it was signed into law on 28 June 2018. Drafted and passed to avoid the inclusion of a similar bill on voter ballots in the November 2018 elections, certain aspects of the initial bill were deemed too vague and confusing, sparking an outcry from the business sector. Taking these complaints into consideration, the first amendments to the CCPA were proposed and signed into law by the governor of California on 28 September 2018.
The CCPA comes into effect on 1 January 2020, but the California Attorney General has until 1 July 2020 to promulgate the final regulations. The CCPA can be enforced only six months after the date of the final regulations, meaning that the earliest possible date for enforcement is 1 July 2020 and the latest, 1 January 2021.
Who does the CCPA protect?
Much like the GDPR, the CCPA is aimed at protecting individuals. The exact terminology used however is that of “consumers” as defined by the California Code of Regulations, namely natural persons who are California residents. The same code further clarifies that a California resident is an individual who is in the State for other than a temporary or transitory purpose or is domiciled in the State and is outside the State for a temporary or transitory purpose.
Who does the CCPA apply to?
The CCPA has clear application criteria: it is aimed at businesses who collect personal information from consumers and do business in California for profit or for the financial benefit of shareholders. However, these businesses must surpass three minimum thresholds to fall under the incidence of the CCPA:
- $25 million in annual gross revenue
- Buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers
- Derive 50 percent or more of annual revenue from selling consumers’ personal information
New Rights and Obligations under the CCPA
The CCPA gives consumers a number of new rights in relation to their data. Here are the major four to keep in mind:
- the right to know as well as request disclosures about what personal information businesses collect about them, where it’s sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
- the right to opt-out of the sale of personal information to third parties (for consumers who are under 16 years old, the sale of personal information now requires an obligatory opt-in);
- the right to have a business delete their personal information (some exceptions apply);
- the right to be free from discrimination when exercising their rights under the CCPA: businesses cannot deny, charge different prices or provide a different quality of goods or services or suggest that the consumer will receive a different price or quality of good or services if they choose to exercise their rights under the CCPA.
Once the CCPA comes into force, companies falling under its incidence will be required to update their privacy policies to disclose to users their new rights under the CCPA as well as the categories of personal information they collect and for what purposes, and what personal information was sold or disclosed in the preceding 12 months. What this essentially means is that companies will need to be aware of the data they collect and update their privacy policies every 12 months to keep the disclosures up to date and in line with the requirements of the CCPA.
Companies selling personal data to third parties will have to disclose it on their business’ home page by giving consumers the ability to opt out of the sale through a clearly visible link titled “do no sell my personal information”. For consumers between the ages of 13 and 16, businesses will need their affirmative consent to sell their personal information. For children under the age of 13, affirmative consent is needed from a parent or guardian before their data can be sold.
The CCPA requires businesses to provide at least two ways in which consumers can submit requests for data disclosure. Companies will have to answer requests for information free of charge within 45 days of the receipts of the consumer’s request, although under certain circumstances, the deadline may be extended.
It’s worth noting that while businesses are strictly forbidden from discriminating against consumers, they are allowed to use financial incentives to dissuade consumers from opting-out of data sale, collection etc.
What type of information does the CCPA protect?
The CCPA protects personal information defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. Examples of these consist of PIIs such as real names and aliases, passport numbers, email addresses, postal addresses etc., biometric information, employment and education information, geolocation data and more.
It also includes internet or other electronic network activity information such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement, as well as inferences drawn from information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Information already subject to federal privacy laws, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Information Portability and Accountability Act (HIPAA), is exempt from compliance with the CCPA. While originally, information falling under the incidence of federal laws was exempt from CCPA compliance only when the CCPA conflicted with these laws, after the amendments of September 2018, the exemption now applies across the board.
Penalties under the CCPA
The CCPA imposes penalties of $750 per consumer per incident or actual damages, whichever is greater. Consumers will have the right of action when a company has suffered a data breach as a result of the company’s failure to implement reasonable security measures. They must however first contact the company and give them 30 days to take care of the violation before initiating an action. The California Attorney General can also issue civil penalties of $2,500 per violation of the CCPA, and up to $7,500 per each intentional violation.
While these stipulations might seem meager compared to the penalties applicable under the GDPR, in the US, companies face the risk of class action suits which can considerably increase companies’ losses.
As data collection and protection becomes increasingly legalized, companies will have to ensure their policies are in line with them to avoid fines and earn users’ trust. Luckily, tools exist to aid them on their road to compliance.