CCPA: What You Need to Know About California’s New Privacy Law

Privacy is taking center stage in today’s digital world. Individuals around the globe demand increased privacy rights as data breaches become the norm and companies sell personal data. The governments of the world are answering this demand with a slew of new privacy laws that leave companies scrambling to keep pace. These laws include the General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA). What are these privacy laws and why are they so important?

GDPR is a data protection and privacy law that became enforceable in May 2018. This legislation aims to give individuals more control over their personal data and imposes sanctions on companies who violate the law. Though it is a European Union (EU) legislation, GDPR has had international effect. Multinational companies doing business in the EU have had to change their policies to comply, whether based in the EU or not. In addition, GDPR’s existence inspired significant changes to privacy laws around the world.

One example of a new privacy law inspired by GDPR is the California Consumer Privacy Act (CCPA). The intention of CCPA is to enhance privacy rights and consumer protection for residents of California in the United States. It is a data privacy law that grants rights to consumers regarding transparency and control over the collection of personal data in a manner similar to GDPR. California’s government signed the bill into law on June 28, 2018. It came into effect on January 1, 2020.

Let’s take a deeper look.

What does the CCPA include?

CCPA covers all the personal data you might expect – name, social security number, email address, username, password, driver’s license number, passport number, bank account number, credit/debit card number, phone number and physical address. It also includes information used by companies to track online behavior, such as IP addresses and device identifiers. In addition, the law covers information that can be used for characterization. Examples include race, physical description, education, employment, religion, marital status, sexual orientation and status as a veteran or member of the military. It also covers biometric information like fingerprints or facial recognition data, browsing history and location information.

The covered data is fairly robust, although the bill excludes data found in public government documents. For example, companies can still learn about a person’s marital status. However, the data must be collected directly from government records, not from other sources such as social media accounts.

How does CCPA impact consumers?

The CCPA grants the following data privacy rights to California residents:

• Know what personal data a company collects, including personal data, like smartphone locations or voice recordings
• Know if and to whom, their personal data is sold/disclosed
• Opt-out of the sale of their personal data
• Access their personal data, including detailed logs of a person’s online activities, physical locations, ride-hailing routes, biometric facial data, and ad-targeting data
• See the specific inferences made about them, including categorizations or predictions related to a person’s behavior, attitudes, psychology, intelligence or abilities
• Request a business to delete any personal information about a consumer collected from that consumer
• Exercise their privacy rights without the fear discriminated against.

How does CCPA impact companies?

CCPA applies to any company which:

• does business in CA
• has annual gross revenue of $25 million or more
• buys or sells the personal information of 50,000+ consumers or households
• or earns more than half of its annual revenue from selling consumers’ personal information.

Not only does the law cover ride-hailing services, retailers, cable TV companies, and mobile service providers but also all other companies that collect personal data for commercial purposes.

CCPA requires these companies to “implement and maintain reasonable security procedures and practices” to protect consumer data. Companies are required to do the following:

• Implement processes to obtain parental or guardian consent for minors under 13 years of age and the affirmative consent of minors between 13-16 years for data sharing purposes
• Include “Do Not Sell my Data” link on homepage of their website, allowing CA residents to opt out of the sale of their personal information
• Designate methods for submitting data access requests, including at a minimum, a toll-free telephone number
• Acknowledge a data access request within 10 days and deliver the requested information within 45 days
• Update privacy policies with newly required information including a description of CA residents’ rights
• Avoid requesting opt-in for 12 months after a CA resident opts out.

How is CCPA enforced?

Companies that become victims of data theft or other data security breaches can face civil class action lawsuits. These lawsuits may require companies to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper.

In addition, the California Attorney General’s Office has the option to prosecute the company instead of allowing civil suits to be brought against it. A fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation can also be imposed. This can result in hefty fines if the violations affect large groups of consumers.

Privacy in 2020 and Beyond

CCPA represents the largest statewide change to privacy law in a generation. Importantly, it has also prompted other states to consider their own privacy laws, some of which have already passed. Many compare CCPA to GDPR, the current the global benchmark for data protection and privacy. Though, there are a few key differences between CCPA and GDPR, including scope and territorial reach, levels of specificity, and an opt-out right for individuals regarding the sale of their personal information.

One specific example of how CCPA differs from GDPR is the definition of personal information. While GDPR covers all personal data regardless of source, CCPA only covers data that was provided by the consumer. It excludes personal data that is publicly available or was purchased by, or acquired through, third parties. In this respect, the definition of personal information in GDPR is much broader than in the CCPA. On the other hand, CCPA takes a broader approach to the definition of personal information than GDPR by including olfactory information as well as browsing history and records of interactions with a website, application or advertisement.

Mind Your Own Business Act

Introduced in October 2019, the Mind Your Own Business Act is another example of U.S. legislation aiming to protect personal data. This acts goes even further than GDPR. The bill would let consumers control how their data is used with one click and gives the Federal Trade Commission the authority to enforce the legislation. Moreover, enforcement could include jail time for corporate executives who lie about privacy safeguards.

The Mind Your Own Business Act is based on three fundamental ideas:

• Consumers must be able to control their own private information.
• Companies must provide greater transparency about how they use and share our data.
• We need to hold corporate executives personally responsible when they lie about protecting our personal information.

At this time, nine other U.S. states are considering similar laws. Maine and Nevada have already passed privacy legislation albeit with narrower parameters.

Some critics argue that the federal government must implement these privacy laws in order for them to be truly effective. An assortment of state-level laws with varying standards will complicate compliance.

Although we will likely see additional changes to the privacy landscape in the coming months and years, these new privacy laws are setting a new precedent and take us a big step in the right direction.