THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
What is CCPA?
As consumers grow increasingly more concerned about their personal data privacy, governing bodies are growing ever more vigilant and demanding in how they want to help consumers protect that privacy. In June, 2018, the state of California passed the California Consumer Privacy Act (CCPA) that aims to protect the personal information of California residents and consumers while also allowing those residents much more control over their personal data. Though similar to – and in some respects less restrictive than - the EU’s General Data Protection Regulation (GDPR), the CCPA could actually be more difficult for American companies to comply with.
The CCPA was signed into law in June 2018 and took effect on January 1, 2020, although actual enforcement of it won’t really begin until July 1, 2020 when the Attorney General of California will have full authority to issue fines and penalties for non-compliance. So, those companies who are not yet in compliance or, worse yet, not even anywhere down the path to compliance, need to begin a compliance strategy immediately.
What does the law do exactly? It allows any California resident (or “consumer”) to request a company provide them with all the data they have saved on them, along with a full listing of all third-party entities that company has sold the data to and/or shared the data with. This law also allows the consumers to sue those companies if the privacy rules are violated – even if there is no actual data breach.
Who is Considered a California Resident?
According to the CCPA, “The term ‘resident,’ as defined in the law, includes 1) every individual who is in the State for other than a temporary or transitory purpose, and 2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.” Section 17014 of Title 18 of the California Code of Regulations
Who Needs to Comply?
There are a number of factors that determine if your company needs to follow the requirements of the CCPA. The first – and simplest – of those is whether or not your organization collects personal data from residents of California. If you don’t, you’re finished here and you can move on. However, if you do, then you and your parent and/or subsidiary companies have to take into account whether or not you meet ANY of the following qualifiers:
- Your annual gross revenue is $25 million or more
- You acquire personally identifiable information (PII) from up to or over 50,000 California consumers, households or devices on an annual basis
- 50% or more of your annual revenue is derived from selling the PII of California residents (in other words… you’re a data broker)
Remember… you only have to tick off one of the above bullet points to qualify as a company that is subject to the requirements of the CCPA.
What Qualifies as Personal Data?
“Personal data” has been defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.”
The CCPA goes on to say that personal information includes, but is not limited to:
- Identifiers such as a real name, alias, postal address, unique personal identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in subdivision (e) of Section 1798.80.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information (i.e., fingerprints, retinal scans, facial recognition, voice recognition, DNA, etc.).
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information.
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Personal information does not include information that is already publicly available. This is information that is “lawfully made available from federal, state, or local government records” with the exception of biometric information that was collected without the consumer’s consent or knowledge.
What are the Penalties for Non-Compliance?
Companies who do not comply with the CCPA can face any number of fines and penalties for violations whether they be considered intentional or unintentional. And, in addition to the civil fines and penalties a company can be hit with, they can also be sued by the consumer directly. Here is a brief list of the financial burdens a company can face for non-compliance with the CCPA:
- Unintentional violation = $2500 per record per breach
- Intentional violation = $7500 per record per breach
- Payments to the consumer = $100 - $750 (or actual damages) per occurrence
If one can imagine how many records are affected in a data breach, the potential amount of fines and/or penalties is staggering.
What Rights does CCPA give Consumers?
The CCPA grants new rights to California residents as it pertains to their personal data and information:
- The consumer has the right to know what personal information is collected, used, sold or shared – both as to the specific pieces and categories of information.
- The consumer has the right to delete personal information stored by the business AND the business’s service provider.
- The consumer has the right to opt out of the sale of their personal information. Consumers can force a company that is selling their personal information to stop selling that information.
- The consumer has the right to not be discriminated against in terms of price or service when they exercise their rights to privacy under the CCPA.
California is just the first state to pass and enact much stricter consumer privacy laws. There are a number of other states working on legislation and coming closer to passing stricter privacy laws of their own. New York, Massachusetts, Rhode Island, Maryland, Mississippi, North Dakota, New Mexico and the state of Washington are all well down the road to passing their own laws next. And, while every state will be different in what they require and pass, being CCPA compliant will make it easier to implement new changes to an existing privacy structure rather than having to build something from the ground up every time.