The state of California is the fifth largest economy of the world; larger than the United Kingdom, France, or India. On January 1, 2020, the California Consumer Privacy Act (CCPA) 1 goes into effect, and this new privacy law has extra-territorial implications. The CCPA is intended to protect consumers, enhance privacy rights and provide greater transparency for residents of the state of California. The CCPA also empowers consumers to file class action suits for privacy losses without requiring them to show any evidentiary loss of property or money. In the event of a data breach, a business could face civil damages of up to $750 per violation, per consumer or actual damages, whichever is greater, plus any other relief the court deems proper.
A business anywhere in the world which suffers a data breach that includes personal data on a few thousand customers in California could face millions of dollars in CCPA fines.
The intentions of the CCPA are to provide California residents the right to:
- know what personal information is being collected about them.
- know whether their personal information is sold or disclosed and to whom.
- say no to the sale of personal information.
- access their personal information.
- not be discriminated against, even if they exercise their privacy rights.
- request a business delete any personal information collected from that consumer (subject to some exceptions).
Does the CCPA apply to your business?
Companies don’t have to be based in or have a physical presence in the state of California to fall under the law. They don’t even have to be based in the United States. As a basic rule, the CCPA applies to a company which does business in California (including online business), collects personal information, and satisfies one or more of the following:
- generates annual gross revenues in excess of $25 million.
- annually buys, receives, sells or shares, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- derives 50 percent or more of its annual revenues from selling consumers’ personal information.
What constitutes personal data?
Personal data in the CCPA is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. Section 1798.40 2 defines what is included under personal information and can be summarized as:
- Identifiers (e.g. real name, alias, postal address, email or IP address, etc.)
- Personal information in customer records (e.g. financial information, etc.)
- Legally protected characteristics (e.g. race, religion, sexual orientation, etc.)
- Commercial information (e.g. personal property, purchasing histories, etc.)
- Biometric information
- Internet or network activity (e.g. browsing history, search history, etc.)
- Geolocation data
- Sensory information (audio, visual, thermal, olfactory, or similar information)
- Professional or employment-related information
- Education information, defined as information that is not publicly available PII
- Metadata, drawn from above used to create profiles (e.g. predispositions, etc.)
The Attorney General has the power to add additional categories of personal information in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
CCPA personal data security requirements
Like the GDPR, the CCPA requires that a business implement appropriate data protection measures over personal information, including both organizational and technical measures. Unlike the GDPR, the CCPA allows consumers to sue businesses when their “non-encrypted or non-redacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” As stated earlier, violations of this provision are subject to civil damages of up to $750 per violation, per user, in addition to actual damages.
Larger fines faced by knowingly non-compliant businesses
Come January 1, 2020, companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, or if an organization knowingly ignored its obligations, the CCPA allows the attorney general to seek civil penalties of up to $7500 per violation, per consumer. California citizens will have the ability to bring a civil action lawsuit against a company the attorney general declines to prosecute, and it allows class action lawsuits.
A company anywhere in the world which knowingly sells personal data of a few thousand customers in California who opted out of the sale of their data could face penalties of more than $10 million.
In order to comply with the CCPA, businesses should:
- update privacy notices and policies to reflect CCPA requirements;
- add a “Do not sell my data” button to their website;
- train pertinent employees on the new compliance requirements of the CCPA;
- audit and update systems to ensure they comply with new consumer rights provided by the CCPA;
- implement systems to comply with these new privacy notices and policies and follow-up on legitimate consumer requests under the CCPA;
- ensure they implement appropriate data protection measures, protecting the personal data of consumers.
The CCPA: A work in progress…
The State of California implemented the CCPA with urgency in June 2018 and it contained many ambiguities. It was passed, in part, to pre-empt a ballot initiative that was to be voted on in November 2018 and that, if passed, would have imposed stricter data privacy requirements. The CCPA uses “personal data misused by a data mining firm called Cambridge Analytica” as an example of business practices it seeks to end. More amendments will likely occur, even after it takes effect in January 2020, but the core tenets and rights granted to consumers will remain.
The regulatory climate around the world for personal data protection is heating up. California is among more than a dozen states adopting or considering new privacy laws. Data privacy regulations like the GDPR and CCPA are becoming the norm and organizations must implement a variety of technologies and best practices to ensure compliance with them. A failure to comply can result in significant and negative consequences, including direct financial costs through heavy fines, loss of corporate reputation, lost business opportunities, brand damage and the like. For more information on how the California Consumer Privacy Act can impact your business, and to ensure compliance with CCPA privacy regulations, get in touch. Contact us