Before diving into the California, Consumer Privacy Act (CCPA) here’s an interesting tidbit for you. Did you know that the human brain receives and processes 400 billion bits of information every second? That’s 50 gigabytes of information in just one second.
For context, think about how much information you would need to store to fill up a 50GB hard disk. Now consider doing that in one second? It’s pretty amazing, right? In the same way, people also generate copious amounts of data that give insight into what makes them tick.
Businesses leverage this information to customize their consumers’ experience and increase their bottom line. It is virtually impossible to come across a business that doesn’t collect information on their consumers.
Remember Facebook’s 2018 user-accounts breaches? Well, they made the news again in 2019 after hundreds of millions of user records were leaked on Amazon cloud servers. But where do businesses draw the line? Are you even aware of the amount of data about you that’s out there, who has access to it, and how it is used?
The California Consumer Privacy Act seeks to change all that. Here’s what you need to know about it.
What Is the 2020 California Privacy Law – CCPA Overview
On June 28, 2018, California Governor Jerry Brown passed the first major data privacy law in the United States. It gives California state residents the right to:
- Know what personal information businesses and other entities are collecting about them
- Know why their personal information is being collected
- Know whether or not their personal information is disclosed or sold to third parties
- If their personal information is disclosed or sold, know the identity of the third parties receiving the information
- Request their data to be deleted
- Opt-out of the sale of their personal information
- Initiate civil action against an organization if they believe it failed to protect their data
The CCPA was introduced and passed in a record time of one week merely hours before the 2017-2018 legislative session drew to a close. This was incredibly fast for a law that would have such widespread implications.
While the law will go into effect on January 1, 2020, enforcement begins on July 1, 2020. The CCPA law has been labeled a landmark policy as it will see California implement the strongest privacy controls any state in the US has ever seen.
Do the CCPA Regulations Apply to Your Business
If you have a company, you first need to assess whether the new law applies to your business and its business partners. The term “business” refers to any legal entity whose structure and operation are for the profit or financial gain of its owners. CCPA compliance is mandatory if your business meets the following criteria:
- Your business operates in California
- It collects personal consumer data
- Your business has annual gross revenues that exceed $25 million
- It buys, receives, shares or sells personal information belonging to 50,000 or more consumers, devices or households yearly
- Decides how and why consumers’ data will be processed
- 50 percent or more of its annual revenues come from selling consumers’ data
Any entity that meets the above criteria has to comply with the new law regardless of its geographic location if part of your business is in California or has Californian consumers. The exception only applies if all a business’ operations and dealings take place wholly outside of the state. This applies when:
- The consumer was outside of California when their information was collected
- The sale of the consumer’s personal information did not occur in California
- The sale of the consumer’s personal information did not occur while they were in California
The law will impact more than 500,000 US companies, the majority of which are small-to medium-sized enterprises and applies to business-to-business (B2B) as well as business-to-consumer (B2C) companies.
CCPA Definition of “Consumer” and “Personal Information”
The term “consumer” as used in the new law refers to California residents. It is further defined in the law as:
- Any individual in the state who isn’t on transit or residing there temporarily
- Any individual who is a California state resident but is on transit or is temporarily living in another state
Additionally, the CCPA definition of “personal information” borrows from the one applied under California Data Breach Notification Law. It refers to an individual’s first name or initials, or their last name combined with the following elements that are neither redacted nor encrypted:
- Their social security number
- Their Californian identification card number
- Their driver’s license number
- Their health insurance information
- Their medical information
- Account number, debit or credit card number alongside any password, security or access code that would authorize access to their financial account
The law also defines “personally identifiable information” (PII), as information that can identify, describe, relate to, be reasonably linked with, and be associated with a particular individual or household. It includes:
- Commercial information like purchasing history or records of personal property
- Biometric information
- Education information
- Professional/employment information
- Internet activity
- IP addresses
- Geolocation data
- Audio, visual, electronic, olfactory or thermal information
- All characteristics of protected categories under federal or California State law
In the event of a single, one-time transaction where the data collected is not re-identified or sold, the CCPA may not apply in such instances. It also doesn’t apply to the use of pseudo names in place of actual consumer ID or de-identifying personal information required for internal analytical purposes or research.
Implementation of the CCPA
The California State Attorney General will be charged with enforcing the CCPA. There are two principal types of enforcement actions that can be taken:
- Section 17206 of the California Business and Professions Code states that the Attorney General can take legal action against a non-compliant business
- If a data breach involving unredacted or unencrypted personal data occurs, a consumer is granted the CCPA private right of action and statutory damages
Private right of action in this context means that affected individuals or entities are permitted to file a suit or class action if their redacted or encrypted data was subjected to unauthorized access. The CCPA fines for noncompliance are also addressed. Businesses that intentionally violate the law are given 30 days to resolve the issues and are fined $7,500 for each violation.
On the other hand, businesses that unintentionally violate the law and fail to resolve the issues within 30 days are required to pay a penalty of $2,500 per violation. 20% of the cumulative fines are channeled towards a Consumer Privacy Fund that will be set up.
How Businesses Can Comply With CCPA
The CCPA compliance checklist for businesses includes disclosure requirements for collecting and selling consumer data.
1. Data Collection Disclosure Checklist
Any business that is collecting consumer data has to comply with the following requirements by January 1, 2020:
- Disclose to consumers which categories of personal information will be collected
- Disclose to consumers the purposes for which the different categories of collected personal information will be used
- After the initial disclosures, consumers must be given notice of any additional categories of information that will be collected as well as their respective purposes
- Disclose to consumers their rights to request deletion of their personal information
- Disclose to consumers the limitations to their rights to request for deletion of their personal information
2. Data Sale Disclosure Checklist
Any business that sells or intends to sell consumer data has to comply with the following requirements by January 1, 2020:
- Disclose to consumers that their information may be sold
- Disclose to consumers that they have the right to opt-out of the sale of their personal information
- Disclose to consumers which categories of their personal information it has sold in the last 12 months
- Disclose to consumers if no sale of their information has occurred in the last 12 months
- Disclose to consumers which categories of their personal information have been shared or sold for a business purpose in the last 12 months
- Include a clear and conspicuous link on the business website homepage stating “Do Not Sell My Personal Information”
- Provide the above link to any consumer visiting the website without requiring them to create an account on the site
- Describe the consumer’s rights on the website to not face any form of discrimination if they opt-out of the sale of their data
- Describe a consumer’s rights as detailed under Section 1798.120 as well as an additional link to the “Do Not Sell My Personal Information” page
- Clearly and conspicuously provide one or more ways through which consumers can submit requests regarding the handling of their personal information
- Acquire an explicit opt-in confirmation from a parent/guardian to sell children’s data if the child is below the age of 13 or from the child themselves if they are between the ages of 13 and 16 years
GDPR vs. CCPA – Are They Similar
The CCPA has been widely regarded as being similar to the EU’s GDPR. But, what is GDPR anyway? GDPR stands for General Data Protection Regulation, which went into effect on May 25, 2018. It is designed to protect citizens of the EU and applies to any company globally that collects, sells, or stores the personal information of EU citizens.
Many people are quick in drawing comparisons between the two laws. However, the scope of the CCPA isn’t nearly as wide as that of the GDPR. If you own a US-based business and believe that GDPR compliance automatically makes it CCPA-compliant, you’re wrong. Here are some notable differences between the two acts.
- The CCPA requires full disclosure to consumers as well as transparent communication channels. This isn’t the case with GDPR.
- The CCPA definition of “personal data” extends beyond that of individuals to include data on households and devices. The GDPR definition isn’t as encompassing.
- The CCPA gives California state residents more rights with regards to access to their data as well as its deletion. The same can’t be said for the GDPR.
- The CCPA is more restrictive when it comes to data sharing for commercial purposes. The GDPR doesn’t have quite as many constraints.
- The CCPA makes it harder for companies to offer free or premium services based on whether or not the consumer provides their explicit consent to the monetization of their personal information.
- The GDPR requires privacy awareness training to be provided to the general public. This isn’t the case for the CCPA.
Why Is the California Privacy Law Important
The CCPA provides a solution to the long-standing “trust crisis” that plagues the digital realm and consumers. Your data belongs to you. This means that you have the right to dictate how and where (if at all) it is used. Here’s why the CCPA is important to consumers:
- The infamous Facebook Cambridge Analytica scandal brought to light just how little control consumers have over their data. This law is the first step towards returning control of user data into the hands of users themselves.
- California is home to Silicon Valley – the world-renowned birthplace of technological innovation. The task of fighting tech giants in the state has been a losing battle, until now. The fact that the CCPA became law so quickly speaks volumes of the widespread support legislators received from their constituents to protect their privacy rights.
- California has always spearheaded privacy legislation. The CCPA now paves the way for other states to follow suit and perhaps even enact a national privacy Act to protect all US citizens.
Consumer Privacy Game-Changer
Data collected by online companies is a goldmine for highly-targeted advertising and marketing efforts by third parties. It gives businesses and other entities insight into their consumers to predict their behavior and modify their messaging.
But, the issue of user data collection takes on a whole new dimension when it is sold, abused, or stolen. It is a gross violation of privacy that users have no control over. The 2020 California Privacy Law changes all that – for California State residents anyway.
It returns the power to the people, and they now have a bigger say on what personal information companies collect, how it is used and gives them the chance to opt-out of providing their data if they don’t want to. The law is a game-changer and will hopefully trigger other states to follow suit.
If you have more legal questions, you can also chat now with a Laws101.com attorney, where you’ll be instantly connected to a lawyer who can give you legal guidance on your specific case or question.