On Jan. 1, 2020, the most extensive data privacy laws in the United States went into effect in California. The California Consumer Privacy Act (CCPA) gives residents the right to know what data companies collect and to ask those companies to delete that data or refrain from selling it. All companies operating in California must make changes to their privacy programs to ensure compliance with the new laws.
What Data Does the CCPA Cover?
As well as basic identifying information like a person’s name, phone number, physical address, username and password, the CCPA covers information companies can use to track online behavior, for example, an IP address.
Data relating to a person’s race, religion, marital status and sexual orientation also falls under the scope of the Act, as does biometric information like fingerprints and facial recognition data.
Information that exists in public government documents is not covered by the new laws, but if a company wants to obtain that information, it must get it directly from official records and not other sources like a person’s social media accounts. The CCPA also places restrictions on companies in relation to selling the personal information of children under 16.
Protecting Privacy in California
Anybody can send a California privacy rights notice to a company asking it to delete or refrain from selling his data. A parent can also do this on his child’s behalf, for example, if a teenager uses TikTok or Spotify. The company must comply with this request to avoid violating the CCPA.
However, if it is necessary for the company to keep certain data about a consumer to complete a transaction or protect against fraud, they do not need to comply. For instance, a streaming service may argue that it is necessary to collect information such as age, gender and viewing habits in order to recommend programming.
Every company should have its data privacy forms available to download from its website. After the form is completed, it should be filed with the company either electronically or by mail. Under the new laws, companies should send a response within 45 days of receiving the request to delete or refrain from selling data. Everyone in California can request their personal information (going back 12 months) from businesses twice a year, at no charge.
Violation of the CCPA
If a business violates the new laws, it can be fined $2,500 per violation or $7,500 per intentional violation. That has the potential to result in a huge fine if large numbers of consumers are affected.
A company suspected of violating the new laws will be investigated by the California Attorney General. Some controversy surrounds this, however, as California Attorney General Xavier Beck has said publicly that he doesn’t have the resources required to investigate every reported violation. He proposed an amendment to the Act to give consumers the right to sue a company directly, but this failed to pass.
In one instance, a person does have the right to sue a business directly – if her personal information is lost in a data breach which happens as a result of the business’s negligence. This means more class action lawsuits are likely against businesses attacked by hackers.
Companies Exempt From CCPA
Not all businesses have to comply with the new laws. If a business has a revenue of less than $25 million, collects personal information on less than 50,000 people or makes less than 50 percent of its revenue from selling consumers’ personal data, it is exempt. Additionally, any business that collects or sells the personal data of Californians must comply with the CCPA even if it is not based in California, meaning that this law applies to businesses in different states or even different countries.
No other states have privacy regulations like California's, but some are considering similar laws.