What is the California Consumer Privacy Act (CCPA)?
CCPA or California Consumer Privacy Act is the latest product of California’s legislature. The newest privacy law in the State of California, heavily influenced by the EU’s General Data Protection Regulation (GDPR), and set to protect consumers’ data.
So, if you are already familiar with the GDPR, you will immediately notice similarities, but there are a few differences as well.
CCPA is a complementary law to already existing privacy laws in California, such as CalOPPA– California Online Privacy Protection Act.
The California Consumer Privacy Act is not substituting them, it is simply addressing certain issues that arise from the advancement of IT technology, the way people communicate, and the way the digital footprint is left today.
The ever-changing needs for new ways to protect consumers are reflected in the new wave of data protection initiatives, and CCPA is one of the first to address those problems.
When does CCPA go into effect?
The CCPA has come into full effect on January 1, 2020, and after a 6 months grace period it will become fully enforceable on July 1, 2020.
This means that all California-based businesses will have to adapt their privacy model and change the way they managed and processed personal data.
Privacy trends point to the rise of privacy laws and regulations, with GDPR and CCPA leading the way.
What are the CCPA requirements?
The CCPA will apply to all companies that process personal information of California residents if they meet one of the following criteria:
- Company’s annual revenue surpasses $25 million;
- Company obtains personal information of at least 50.000 California residents, households or devices annually;
- Or company makes at least 50% of its annual revenue from selling the personal information of California residents.
Selling of personal data, in this case, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means.
The enforcement of the law is not defined by the territory. Instead, it protects the personal data of the residents of California states no matter where.
What does CCPA mean for your business?
If you meet one of the CCPA criteria, you will have to implement certain changes in the way you do your business and process personal information of consumers. If you have a website, you will have to upgrade it and include the DO NOT SELL MY PERSONAL INFORMATION option.
You will also have to inform your customers at every collection point about what categories of personal data you collect and for which purpose.
Explain to consumers how they can exercise their rights and clarify how you will use their data, what categories of data you collect, and for what purposes.
- Inform the customer on how their personal data is going to be used, prior to the collection of their data.
- Ensure that you respond to request free of charge if a customer requests for information and details on personal data that you collected on them in the past 12 months
- You should respond to customers’ requests even though you are obligated to send info up to two times in a period of one year.
Rights under the CCPA
Much like citizens of the EU, from the beginning of 2020, Californians can exercise new rights granted under the CCPA that include:
- Right to request information
- Right to data portability
- Right to opt-out of the sale of personal information
- Right to access data
- Right of disclosure
- Right to deletion
The fines and ramifications of non-compliance with the CCPA
Much like the GDPR, the California Consumer Privacy Act (CCPA) issues fines to all violators and non-compliant organizations. Besides the monetary penalties, there is also a risk of a negative business reputation.
The CCPA limits the civil penalty to be assessed by the California Attorney General and proposes penalties of no more than:
- $ 2 500 per each unintentional violation or
- $ 7 500 per each intentional violation
If a data breach is discovered, consumers can recover damages of no less than $100 and not more than $750 per consumer per incident or actual damage, whichever is higher.
Penalties do not seem that high, right? However, fines could go up to millions. Let’s say an organization violates the rights of 10 000 consumers, penalties would be multiplied by 10 000.
Mentioned penalties do not seem too high compared to some other privacy laws, such as the GDPR. However, do remember that these penalties are imposed by individual violations and consumers.
It clearly means that smaller businesses with even a few customers can be penalized with large amounts. The CCPA does not prescribe a maximum amount, which means that for each violation, companies will potentially be penalized multiple times.
The Act extends to consumers a private right of action, giving businesses exposure not only to government penalties but also to customer lawsuits.
Businesses have 30 days to fix non-compliance or else, they will be likely to pay up to $7 500 per violation.
Final regulations that define the parameters of the law are yet to be released and the State will not start enforcing the law before July 1. Californians are granted to sue companies if they fail to take reasonable precautions to prevent data breaches.