CCPA (California Consumer Privacy Act)
Following a major consumer data scandal involving Facebook and Cambridge Analytica in 2018, several new privacy regulations were established. The General Data Protection Regulation or GDPR is among the most widely publicized. It ensures that companies are fined if they violate consumer data rights. Although the GDPR applies to some US companies doing business in the EU, it’s largely a European initiative. That’s why the California Consumer Privacy Act or CCPA was enacted in 2018 to ensure that US consumers could demand that companies in possession of their data would delete it if asked to. The new law went into action on January 1, 2020. But what is the CCPA? What are its major provisions? And how does it differ from the GDPR?
CCPA – a definition
The CCPA is a consumer privacy act (AB 375) which enables California residents to request to see all the personal information a company serving in the state of California may hold on them. In addition, companies must disclose which third parties they have shared the data with. If the law is violated, consumers are able to sue a business for breach of regulation.
It was signed into law by Jerry Brown, the California Governor, in June 2018, and originally born from a ballot initiative that collected over 600,000 signatures. The final Act is widely considered to be preferable over a ballot initiative because it can be amended in the future. In contrast, ballot measures – once initiated – cannot be easily amended.
The State of California Department of Justice describes the California Consumer Privacy Act 2020 as creating “new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.” The California Attorney General is responsible for seeking public opinion to amend CCPA regulations.
What does the CCPA define as “personal” information?
Definitions of what one considers to be “private” or “personal” can differ from company to company. Under the CCPA, personal information is defined as any data that could identify, describe, or indirectly link to a person. Whilst name, email, date of birth, and address are clear examples of personal data, the Act goes much further. For example, it includes commercial information such as any records of products that a consumer purchased or rented. Other categories of “personal” information protected under the Act include online activities such as a user’s browsing history, audio history, geolocation data, or employment-related information. However, it does not cover information that is publicly available. You can view a full list of what constitutes “personal” information under the CCPA here.
The major provisions of the CCPA briefly explained
The Act has several major provisions that US businesses must adhere to. For example, consumers can request to know which personal information a company holds on them. At the same time, companies must state what kind of information they collect as part of their privacy policy and what the purpose for collecting this information may be. California residents could also request to know what their information is being used for and who it has been shared with.
Consumers now have the right to opt out of businesses selling their information to others. If a consumer requests that their data be deleted, companies aren’t allowed to refuse their service with some exceptions. For example, a healthcare insurer wouldn’t be able to provide a service without collecting certain consumer data like date of birth or known health conditions.
The Act also stipulates that businesses must provide a website and a free-to-call phone number for consumers to make a request to have their data deleted. Any requests made by a consumer to view their personal information must be followed up on within 45 days after being received. From January 2020 forwards, companies need to verify records dating back 12 months.
Here’s an overview of some of the CCPA’s major stipulations:
- Consumers can ask to view the information a business has collected on them (including the type of data and format) and shared with any third parties dating back 12 months
- Consumers can request their information to be deleted
- Consumers may opt out of their data being sold
- Consumers have a right to not be refused service, with some exceptions
- Consumers have a right for their request to be answered within 45 days
What type of companies have to comply with the California Consumer Privacy Act?
The Act applies to all for-profit companies that provide services or products to residents in the US state of California which:
- Earn over $25 million in revenue each year
- Have collected personal data on more than 50,000 California residents
- Make 50% of their revenue from selling personal information of California residents
This means that a business doesn’t necessarily have to be based in California or even in the US to have to comply with the CCPA. Indeed, an international company that falls under the above will also need to adhere to the Act.
In reality, given California’s large population, many major companies are already serving California residents. Although businesses can install IP trackers to monitor whether they’re serving California customers, such costly technological additions may not be suitable for all businesses. It’s, therefore, more likely that businesses will update their privacy policies to comply with the Act for all their customers. As data laws keep changing to address privacy concerns by consumers, it’s expected that most US states will adopt more stringent regulations in the near future.
Small companies which do not collect large amounts of data, non-profit organizations, and sole proprietors which do not collect data or earn more than the threshold aren’t covered under the Act. There are some other companies which are exempt from the CCPA law, including insurance providers, agents, and support organizations. That’s because the latter are already covered under the California Insurance Information and Privacy Protection Act.
Time frame – when will companies need to begin to comply with the Act?
The CCPA took effect on January 1, 2020. This means all relevant businesses now need to comply with the regulations. However, because consumers can request data dating back 12 months, most businesses should have had data collection and management systems in place since the start of 2019.
Non-compliance: How is the Act enforced and what happens if a company doesn’t comply?
If a consumer complains that the Act has been violated, companies have 30 days to comply with the law. Where a business does not act swiftly or fails to comply, they may face fines up to $7,500 per case. For a company that deals with thousands of consumer records, intentional or unintentional non-compliance could quickly become costly.
What’s more, thanks to the bill, consumers have the right to sue a company for the first time – either individually or as a class. At the moment, it’s not known what statutory damages in the event of a class-action lawsuit could look like or what the upper threshold may be. It’s, therefore, advised that companies take the Act seriously and ensure they comply. However, companies can avoid fines and lawsuits as long as they respond to customers within 30 days and make any requested amendments swiftly.
For unauthorized access and data breaches, for example, theft or negligence, the Act states that consumers can receive damages between $100 to $750 per customer and incident.
Because many large businesses in the US also provide products and services in Europe, they will have already updated their privacy policies to comply with the GDPR. As such, they’re already on track to comply with much of the CCPA as some of the provisions are similar between the two. But how similar are the CCPA and the GDPR?
GDPR vs. CCPA: Differences and similarities
The CCPA is often dubbed the “American GDPR.” That’s because, in essence, many of its provisions are similar to the European counterpart. However, the CCPA is seen as a slightly more expansive and arguably stricter law than the GDPR. One of the main differences between the CCPA and the GDPR is the opting-out arrangement. Whilst the GDPR requires companies to allow consumers to opt out of data processing, the CCPA only enables opting out of the sale of personal information. That means companies can still collect private data, but can’t sell it without consent. The key differences and similarities between the two are shown in the table below.
Feature | CCPA | GDPR |
---|---|---|
Reach | Covers data from California residents only | Covers all personal data in the EU |
Right to access | Consumers can demand to view a record of all their personal data a company has collected or shared | Consumers can demand to view a record of all their personal data a company has collected or shared |
Time frame | Answers to requests must be given within 30 days | Answers to requests must be given within 30 days, but if a request is complex the deadline can be extended to 3 months |
Right to correct | Not included | Consumers can request their data records to be updated where errors are found |
Right to withdraw or opt-out | Consumers can only opt out of their personal data being sold | Consumers can withdraw consent for their data to be processed |
Right to be informed | Companies must inform customers if and how they are collecting personal data | Companies must inform customers if and how they are collecting personal data |
Right to be forgotten | Personal data can be requested to be forgotten, subject to certain conditions | Personal data can be requested to be forgotten, subject to certain conditions |
Right to data portability | Companies must export (but not import) data in a user-friendly format | EU companies need to export and import data in a user-friendly format |
Right to equal service | Required | Implied |
Damages | Between $100 to $750 per customer per case | No threshold |
Penalty charges | $2,500 for unintended and $7,500 for intended violations | 4% global annual revenues |
Sources: PWC and Information Commissioner’s Office
The impact of the CCPA and what it means for consumer security
The CCPA has far-reaching consequences for many businesses in the US and abroad. “Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private,” said Xavier Becerra, the California Attorney General. As a consequence, companies may incur considerable costs to comply with the Act. They should also prepare for a large number of incoming consumer requests and the eventuality of fines and litigation. Companies that already comply with the GDPR will need to carefully examine whether they should make additional updates to their privacy policies. Over the next few years, there’ll likely be several updates to the CCPA and businesses will need to make sure they keep up with changing regulations.
The California Consumer Privacy Act is seen as the beginning of a wave of privacy regulations sweeping the US. Experts predict that 2020 will be a key year for major updates to consumer personal data protection laws, especially in states like New York and Massachusetts, where the New York Privacy Act and the Act Relative to Consumer Data Privacy are already pending, respectively. Business owners are advised to put measures into place that allow them to adapt quickly to new or changing personal data requirements.
Click here for important legal disclaimers.