The California Consumer Privacy Act (CCPA) is a set of state laws that boosts privacy rights and consumer protections for California residents. Assembly Bill 375 was signed into law by former California Governor Jerry Brown in June 2018. The CCPA will take effect January 1, 2020, with enforcement deferred until July 1, 2020.
The CCPA Creates New Consumer Rights
The CCPA gives consumers the right to know what information companies collect about them, why the companies collect such data and with whom the companies share the data. The CCPA further gives consumers the right to order companies to delete their information and not sell or share their data. The CCPA will give California residents the strictest data privacy protection in the country.
Parts of the CCPA May Change
California’s legislature passed amendments to the CCPA in September 2018 as Senate Bill 1121. California Governor Gavin Newsom signed additional substantive amendments into law in October 2019. State legislators are still attempting to modify the CCPA by proposing bills that carve out exemptions and change definitions.
The CCPA’s Look-Back Provision
Although the CCPA takes effect in January 2020, the law has a look-back requirement. Businesses were supposed to start keeping records of consumers’ personal information on January 1, 2019. A consumer can make requests relating to collection and sale of her personal information during 2019.
Who Must Comply With the CCPA?
Businesses that collect consumers’ personal information and do business in California must comply with the CCPA. The business must meet at least one of these thresholds: have annual gross revenues over $25 million; possess the personal information of 50,000 or more consumers, households or devices; and earn more than half its annual revenue from selling consumers’ personal information. Companies like Amazon, Facebook and Google would have to comply with the CCPA.
Businesses Outside California Must Comply
Businesses with headquarters outside the state of California that do business in California are required to comply with the CCPA. Doing business in California includes conducting online transactions with people who live in California, having employees working in California or having certain other connections in the state. Further regulations will likely define what doing business in California means when applied to the CCPA.
How the CCPA Guides Businesses
The CCPA provides businesses with guidelines of how to comply with the laws. These guidelines are still being delineated. Some procedures have been clarified, such as informing consumers how to opt out. A business must provide a clear and conspicuous link on its website that says: Do Not Sell My Personal Information or Do Not Sell My Info.
Who Enforces the CCPA?
The California Attorney General enforces the CCPA by pursuing civil penalties of up to $7,500 per violation. A consumer can bring a private right of action of between $100 and $750 per incident for a business’ unauthorized disclosure of her data. Before filing a lawsuit, she must provide the business 30 days to cure the alleged violation.
What Information Does the CCPA Cover?
The CCPA covers personal information that identifies and relates to specific consumers and households. Personal information does not exclude some publicly available government records. The CCPA remains somewhat vague; the number of the categories of information it covers overlap with the categories of information covered by the European Union’s General Data Protection Regulation.
Differences Between the CCPA and GDPR
The CCPA applies to California employees and residents. The CCPA centers on a consumer’s right to opt-out of the collection and sale of his personal information. The EU's GDPR applies to people physically located in the European Union. A citizen of a country that belongs to the E.U. is not covered by the GDPR when she travels to a non-E.U. country. The GDPR is focused on opt-in collection practices.
Security Requirements for CCPA Compliance
The CCPA does not place data security requirements on businesses. Businesses are expected to come up with security practices that fit the risks of a data breach. Businesses are tasked with guarding consumer information from unauthorized access, theft and disclosure.
How the CCPA Covers Children
The CCPA makes it illegal to sell the personal information of a consumer under 16 without his consent. A child between the ages of 13 and 16 can directly provide consent. A child under 13 requires parental consent. The requirements of the Children’s Online Privacy Protection Act apply in addition to the CCPA’s requirements.
The CCPA Covers B2B Businesses
The amendments to the CCPA exclude business to business (B2B) communications and transactions from the terms of the CCPA until January 1, 2021. The CCPA provides no exceptions for businesses that serve other businesses. An example of a B2B business is a company that creates software for human resources departments.
The CCPA Act Covers Employees
The amendments to the CCPA exclude job applicant, employee and personal contractor information from the terms of the CCPA until January 1, 2021. The CCPA further requires that a business can not ask a consumer to create an account solely to make a CCPA request, such as an opt-out request. The CCPA requires a consumer to use her existing account, if she has one, to make a consumer request.
Businesses Can Offer Incentives to Opt In
The CCPA Act allows a business to offer financial incentives to a consumer for collecting and selling her personal information. The business must get the consumer’s opt-in consent before using his data to generate a profit. The consumer can withdraw his consent at any time. The value of the incentive must be directly related to the value of the consumer’s personal information.
The Right to Access
Consumers have a right to request a business to share the categories of personal information the business collected, including unstructured data such as emails, images and files related to consumers and households. For example, a consumer could make an access request for a photo of a consumer posted on a platform like a dating website and mobile app. A consumer could also make an access request for a record of security breaches in her house monitored by a home security system.
The Right to Equal Services and Prices
The CCPA does not allow businesses to discriminate against a consumer by charging him more or denying him services if the consumer exercises his rights under the CCPA. For example, if a consumer requests that an online grocer delete his personal information, the business cannot charge him a higher price for food than other consumers. The right to equal services and prices only comes into play when a consumer exercises a specific right under the CCPA. To clarify, a business can deny a customer service, but it cannot deny him service for exercising the right to delete.
Other States Follow California’s Example
In Nevada, online privacy rules similar to the CCPA took effect on October 1, 2019. Nevada’s Senate Bill 220 imposes fines on businesses of up to $5,000 for not having data handling requirements. The laws in SB 220 allow consumers to opt out of data collection. Legislation similar to the CCPA is also gaining support in New York and Washington, D.C.
- State of California, Department of Justice, California Consumer Privacy Act
- CSO from IDG: California Consumer Privacy Act, What you need to know to be compliant
- The New York Times: The Fight Over a Landmark Digital Privacy Law
- Policy & Medicine: A Rockpointe Publication, California AG Releases Draft California Consumer Privacy Act (CCPA) Regulations
- The National Law Review: California Consumer Privacy Act, Are You Ready?
- Lexology: Privacy Regulations Proposed for CCPA by California Attorney General
- American Bar Association: California Consumer Privacy Act
- The National Law Review: Does the CCPA Apply to Your Business?
- Forbes: How the CCPA Will Impact the World's Digital Economy
- Nevada Legislative Council Bureau: SB 220
- EU GDPR.org: GDPR Facts