California consumers have new rights under the California Consumer Privacy Act (CCPA). The CCPA is a landmark legislation enacted in 2018 and effective January 1, 2020. While the CCPA is the first law in the U.S. to mandate specific rules related to consumer data, few businesses reported being ready for the effective date.
A survey from One Trust revealed only 2 percent of companies considered themselves CCPA compliant as late as August 2019. In addition, 13 percent of the companies surveyed did not plan to fall into compliance by the time the law was to be enforced. For the average online consumer, life hasn’t changed much under the new law. However, the requirements are forcing corporations to take consumer privacy seriously.
The CCPA essentially applies to any for-profit venture that operates in California and either:
Business owners who operate in California and collect, share, or sell California consumers’ personal data and meet any of the benchmarks above, are likely governed by the CCPA. The CCPA’s reach is extended to any business that owns, is owned by, or shares common branding with a covered business.
For users, there are two broad categories under CCPA called, “the right to know” and “the right to say no.” Essentially, the new law gives consumers the right to know what information a business has collected about them, have the data deleted, and decline to have businesses sell their information to third party entities.
While the California Attorney General has admitted to only having the bandwidth to prosecute a “few cases a year,” not following the law has potential for steep fines for covered businesses. A data breach could result in a business being sued up to $2,500 per user per piece of data, or $7,500 for an intentional breach. For businesses with extensive databases, the penalty could easily reach into the tens or hundreds of millions of dollars in fines.
Businesses are required to follow “reasonable practices and procedures” to avoid the data breach. Violations of CCPA could occur if “non-encrypted or non-redacted personal information” is breached, regardless of the harm done to the data. Consumers are eligible to sue for between $100 and $750 for each violation under the CCPA. However, the consumer must give a 30-day window after submitting a written notice to a company they believe violated their privacy rights.
According to California legislature, personal information refers to “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information includes a real name, alias, postal address, unique personal identifier, social security number, account name, and other information. Read the complete list here.
The CCPA does not restrict a business’ power to gather or sell a consumer’s personal information if every step of the information collection and sell process takes place outside of California. That is to say, the business must:
Other exclusions to the CCPA include federally regulated information, like the Health Insurance Portability and Accountability Act (HIPAA); the Gramm-Leach Bliley Act (GLBA); the Fair Credit Reporting Act (FCRA); or the Drivers’ Privacy Protection Act (DPPA).
The California Consumer Privacy Act (CCPA) is a bill designed to shield Californians from having their personal information collected and sold by qualifying businesses without their consent. The bill was approved by the governor June 28, 2018 and took effect January 1, 2020.
The California Consumer Privacy Act (CCPA) became law January 1, 2020. It mandates a particular segment of businesses to comply with strict privacy laws and opt out options for online consumers. Consumers have the option to know what data is being collected on them, stop the sell of their information, and take legal action in the event of a security breach.
The legislature defines “personal information” as it relates to the CPPA as ““information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” A complete list of information is available online.
The CCPA essentially applies to any for-profit venture that operates in California and either: makes a minimum of $25 million in annual gross revenues. owns data on more than 50,000 consumers, households, or devices, or makes more than half of its annual revenue by selling consumer’s personal information.
Companies have 30 days to comply with the law once regulators notify them of a violation. Under CPPA, consumers and state regulators can file a lawsuit against violators of the law. Each intentional violation may be subject to a fine up to $7,500, and unintentional violations are subject to a fine up to $2,500. Consumers who have suffered a data breach may sue for up to $750 for each piece of information made available unlawfully.
Covered companies must allow consumers to opt out of having their data shared with third parties. Companies must separate data based on each users’ privacy settings and must make the collected data available to all users upon request. In addition, consumers can request to have their data deleted. A company is not allowed to refuse service to a consumer who opts out of sharing their information but can offer incentives to users who provide the data.
The CPPA a state law that covers businesses that operate in California, but it also effects businesses who sell to Californians, or display a website in the state.