The CCPA is Now in Effect
As of 1 January 2020, the California Consumer Privacy Act (CCPA) is in force and companies hoping they would be granted a further six months of respite from enforcement while final regulations are being promulgated, might be in for a rude awakening. Attorney General Xavier Becerra has stated that the CCPA compliance deadline will remain 1 January which means that, once the AG’s office will start enforcing it, it will be taking on violations retroactively to the beginning of 2020.
The sudden appearance of the CCPA onto the data protection legislation scene one month after the EU’s General Data Protection Regulation (GDPR) came into force in 2018 took California businesses by surprise and sent shockwaves across the US due to its exhaustive requirements and focus on consumer rights. Since it was signed into law on 28 June 2018, the CCPA has been at the center of a tug-of-war between privacy and industry advocates as they argued over the fine print.
However, while several amendments have been made to the law and the AG is currently reviewing its final regulations, the CCPA’s teeth have remained very much intact and companies hoping later updates to the law would reduce some of its impact have been sorely disappointed. The amendments brought some much needed clarity to the scope of the CCPA instead.
New Rights and Obligations under the CCPA
The CCPA most notably grants California consumer several new rights. They can now opt out of the sale of their personal information to third parties, request disclosures about what personal information businesses collect about them, where it’s sourced from, what it is being used for, whether it’s being disclosed or sold, and to whom it is being disclosed or sold. They also have the right to request that their data be deleted and the right not to be discriminated against when they exercise their rights under the CCPA.
Companies selling personal data to third parties will have to disclose it on their business’ home page and give consumers the possibility to opt out of the sale through a clearly visible link entitled “do no sell my personal information”. For children under the age of 13, consent for the selling of their personal information will be needed from a parent or guardian beforehand.
When it comes to consumer requests for data disclosure, companies are obligated to offer consumers at least two ways of contacting them. One of these methods must be a toll-free number, but companies doing business exclusively online can provide only an email address. Companies will have to answer requests for information free of charge within 45 days of the receipt of the consumer’s request, although the deadline may be extended under certain circumstances.
Enforcement of the CCPA
The AG will be able to enforce the CCPA only six months after the final regulations have been promulgated or 1 July 2020, whichever comes first. The civil penalties the AG’s office can issue amount to up to $2500/unintentional violation or up to $7500/intentional violation assessed on a per consumer basis. Given the AG office’s limited resources, the AG has declared that while the CCPA will be applied retroactively, leniency will be shown to companies that can demonstrate an effort to comply.
The CCPA also grants California consumers a private right of action and statutory damages against businesses that have lost their personal information in a data breach due to poor security procedures and practices. Consumers must first notify businesses of the breach and give them 30 days to rectify the violation before initiating a litigation. Statutory damages range from $100 to $750 per consumer per incident.
Developments in 2020
The CCPA brought data protection legislation to the center stage in US legislative debates, with several states now pushing for stricter privacy laws with various degrees of success, and talks of a federal privacy law being rekindled, this time with support from the business sector, in hopes that nationwide policies would supersede a patchwork of state-level laws thus simplifying compliance efforts.
In November 2019, Alastair Mactaggart, the drafter of the 2018 California ballot initiative that served as the basis for the CCPA, announced that he filed a new initiative for California’s November 2020 ballot entitled the California Privacy Enforcement Act (CPEA). Through it, he aims to strengthen some of the CCPA’s provisions and most notably, provide for the creation of a California Privacy Protection Agency to enforce the law and provide necessary guidance to industry and consumers. The initiative comes amid concerns that the AG does not have the resources needed to effectively enforce the CCPA in the long run and may find itself overwhelmed once complaints start pouring in.
The CCPA is now in effect and companies failing to comply with it may find themselves on the receiving end of stiff fines and endless litigations. Privacy as a legal obligation and fundamental right is here to stay and whatever the bill for compliance may be at the moment, in the long run, the faster companies become compliant, the better.