California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is legislation in the state of California that supports an individual's right to control their own personally identifiable information (PII). CCPA, also known as Assembly Bill No. 375 in the California State Legislature, was passed and signed into law by Jerry Brown, then the Governor of California, on June 28, 2018.
The CCPA seeks to give California residents a way to control their personal information by ensuring the following rights:
- The right to know what personal information is being collected about the resident.
- The right to know if personal information is sold or disclosed and to whom.
- The right to say no to the sale of personal information.
- The right to access their personal information.
- The right to both equal service and price, even if they exercise their privacy rights.
Non-profit organizations are exempt from the CCPA. The CCPA applies to businesses that collect consumers’ personal data, does business in the state of California and meets one of the following criteria:
- Has annual gross revenues of twenty-five million dollars or more
- Buys, receives, sells, or shares personal information of 50,000 or more devices, consumers, or households for commercial purposes
- Takes 50% or more of annual revenues from selling consumers’ personal information
Definition of “Personal Information”
According to the CCPA, personal information does not include publicly available information. Instead, personal information identifies or is capable of being associated with, a particular individual or household, including:
- Name, alias, postal address, IP address and email address, account name, social security number, driver’s license and passport
- Records of products, property or services purchased, obtained or considered
- Biometric information
- Electronic network activity information, such as browsing and search history, information on a consumer’s interaction with an Internet Web site, application or advertisement
- Geolocation data
- Audio, visual, electronic, thermal or similar information
- Employment-related information
- Education information that is not publicly available
CCPA Compliance Deadline
The CCPA takes effect on January 1, 2020. However, the full details of compliance may not be finalized by that date. The California Attorney General will publish finalized details between January 1, 2020, and July 2, 2020. The Attorney General will solicit public participation to update additional categories of "personal information," and establish any exceptions related to compliance.
A business violates the CCPA if it fails to address an alleged violation within 30 days of being notified. Any business that violates the CCPA may be liable for a penalty of not more than $2,500 per each unintentional violation and $7,500 per each intentional violation.
Consumers whose data "is subject to an unauthorized access and exfiltration, theft, or disclosure" as a result of a business' violation of CCPA can recover damages of $100-$750 or the amount of actual damages -- whichever is greater.
CCPA Security Benefits
The CCPA affords California residents with more visibility and control over their personal information and how it’s being used. As technology and data plays a larger role in consumers’ lives, more personal information is shared between consumers and businesses. The CCPA legislation notes that California law has not kept pace with these developments and their implications on personal privacy.
The CCPA seeks to protect California residents from the risks of unauthorized disclosure of personal information including identity theft, destruction of property and reputational damage.
CCPA Impact on Businesses
Businesses will incur costs to come into compliance with the CCPA. For example, businesses must notify consumers what personal information is being collected, how it’s being used and whether it’s being disclosed or sold.
Businesses must provide consumers with a simple process to opt out of having personal information sold to a third party. Businesses must post a “Do Not Sell My Personal Information” link on its homepage.
Costs to implement these measures will come from website changes, updates to print materials and the creation of new materials or communications. Businesses will need to educate and train staff about the CCPA and may incur a cost for training programs and hiring additional employees.
Businesses may also incur a cost from hiring consultants or legal counsel related to CCPA compliance, violations and remediation.
Under the CCPA, consumers may request that businesses delete their personal information. Businesses need not comply with the consumers’ request if the Personal Information is required to:
- Complete a transaction
- Detect security incidents or protect against malicious activity
- Debug or repair errors that impair functionality
- Comply with a legal obligation
In defining personal information, the CCPA excludes information “that is lawfully made available from federal, state, or local government records.”
GDPR vs. CCPA
GDPR, a set of regulations that took effect in the European Union in 2018, has similar goals and regulations to the CCPA. There are some key differences, however:
GDPR casts a broader net
GDPR applies to all businesses that handle the data of EU citizens. The CCPA applies to companies that do business in the state of California, have revenue about US$25 million or whose primary business is the sale of personal information.
GDPR has higher penalties for non-compliance
Businesses that violate GDPR can be fined 4% of the company’s annual global turnover (e.g., revenue) or 20 million euros, whichever is greater. CCPA penalties are much narrower -- fines of $2,500-$7,500 per violation and fines of $100-$750 to individuals per violation.
GDPR considers the individual, while CCPA considers the individual plus household
While GDPR’s regulations apply to individuals, CCPA covers a broader scope. Personal Information, as defined by the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”