California Consumer Privacy Act (CCPA)

CCPA Requirements

Non-profit organizations are exempt from the CCPA. The CCPA applies to businesses that collect consumers’ personal data, does business in the state of California and meets one of the following criteria:

• Has annual gross revenues of twenty-five million dollars or more
• Buys, receives, sells, or shares personal information of 50,000 or more devices, consumers, or households for commercial purposes
• Takes 50% or more of annual revenues from selling consumers’ personal information

Definition of “Personal Information”

According to the CCPA, personal information does not include publicly available information. Instead, personal information identifies or is capable of being associated with, a particular individual or household, including:

• Name, alias, postal address, IP address and email address, account name, social security number, driver’s license and passport
• Records of products, property or services purchased, obtained or considered
• Biometric information
• Electronic network activity information, such as browsing and search history, information on a consumer’s interaction with an Internet Web site, application or advertisement
• Geolocation data
• Audio, visual, electronic, thermal or similar information
• Employment-related information
• Education information that is not publicly available

CCPA Compliance Deadline

The CCPA takes effect on January 1, 2020. However, the full details of compliance may not be finalized by that date. The California Attorney General will publish finalized details between January 1, 2020, and July 2, 2020. The Attorney General will solicit public participation to update additional categories of "personal information," and establish any exceptions related to compliance.

CCPA Penalties

A business violates the CCPA if it fails to address an alleged violation within 30 days of being notified. Any business that violates the CCPA may be liable for a penalty of not more than $2,500 per each unintentional violation and $7,500 per each intentional violation.

Consumers whose data "is subject to an unauthorized access and exfiltration, theft, or disclosure" as a result of a business' violation of CCPA can recover damages of $100-$750 or the amount of actual damages -- whichever is greater.

CCPA Security Benefits

The CCPA affords California residents with more visibility and control over their personal information and how it’s being used. As technology and data plays a larger role in consumers’ lives, more personal information is shared between consumers and businesses. The CCPA legislation notes that California law has not kept pace with these developments and their implications on personal privacy.

The CCPA seeks to protect California residents from the risks of unauthorized disclosure of personal information including identity theft, destruction of property and reputational damage.

CCPA Impact on Businesses

Businesses will incur costs to come into compliance with the CCPA. For example, businesses must notify consumers what personal information is being collected, how it’s being used and whether it’s being disclosed or sold.

Businesses must provide consumers with a simple process to opt out of having personal information sold to a third party. Businesses must post a “Do Not Sell My Personal Information” link on its homepage.

Costs to implement these measures will come from website changes, updates to print materials and the creation of new materials or communications. Businesses will need to educate and train staff about the CCPA and may incur a cost for training programs and hiring additional employees.

Businesses may also incur a cost from hiring consultants or legal counsel related to CCPA compliance, violations and remediation.

CCPA Exceptions

Under the CCPA, consumers may request that businesses delete their personal information. Businesses need not comply with the consumers’ request if the Personal Information is required to:

• Complete a transaction
• Detect security incidents or protect against malicious activity
• Debug or repair errors that impair functionality
• Comply with a legal obligation

In defining personal information, the CCPA excludes information “that is lawfully made available from federal, state, or local government records.”

GDPR vs. CCPA

GDPR, a set of regulations that took effect in the European Union in 2018, has similar goals and regulations to the CCPA. There are some key differences, however:

GDPR casts a broader net

GDPR applies to all businesses that handle the data of EU citizens. The CCPA applies to companies that do business in the state of California, have revenue about US$25 million or whose primary business is the sale of personal information.

GDPR has higher penalties for non-compliance

Businesses that violate GDPR can be fined 4% of the company’s annual global turnover (e.g., revenue) or 20 million euros, whichever is greater. CCPA penalties are much narrower -- fines of $2,500-$7,500 per violation and fines of $100-$750 to individuals per violation.

GDPR considers the individual, while CCPA considers the individual plus household

While GDPR’s regulations apply to individuals, CCPA covers a broader scope. Personal Information, as defined by the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”