As the name itself suggests, the California Consumer Privacy Act (CCPA) is a data protection law of the U.S. state of California. It gathers rules that must be followed by companies that handle personal data. CCPA emerged in the wake of the General Data Protection Regulation (GDPR), the European law, and California's need to better protect its residents, since there is no single general data protection law in the country.
The CCPA was approved in 2018 and will take effect in January 2020. In short, the main change that the law brings is that California residents will have more rights over their data. In other words, the law gives people the rights to access data, to know how data are used and to prohibit their use.
“At the same time, California is one of the world’s leaders in the development of new technologies and related industries. Yet the proliferation of personal information has limited Californians’ ability to properly protect and safeguard their privacy. It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information”, states the assembly bill.
Which companies does CCPA affect?
CCPA applies to companies doing business in California, but not all of them. They must meet at least one of the following requirements for the law to be valid: have USD 25 million or more in annual revenue; earn more than 50% of its annual revenue selling consumers’ personal information; or work, annually, with personal data of more than 50,000 consumers, households, or devices.
As we said, the company needs to do business in California. This means that the company doesn't necessarily need to have a headquarters in the state or even in the United States. That is, to fit the bill, it just has to handle data from people living in California.
Also, like almost every legislation, there are exceptions. CCPA doesn’t affect financial and healthcare companies that already operate under other data protection and security laws, such as HIPAA, the Fair Credit Reporting Act, and the Gramm-Leach-Bliley.
Definition of personal information according to CCPA
According to CCPA, personal information means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
In practice, for example, personal information involves data that may identify someone, such as name, email address, and passport number; business information, such as records of goods and services; biometric information; geolocation data; job-related information; sound and visual information; and educational information.
CCPA key points
CCPA's goal is to protect and assure the data privacy rights of people living in California. This way, the law demands more responsibility and transparency from companies. On the other hand, it protects the consumer. With that in mind, the main points surrounding the CCPA relate precisely to the rights acquired by state citizens.
The law itself states that Californians have the right to know what personal information is collected; whether the information is marketed or disclosed, and to whom; to say no to selling the data; to access their own information; to receive equal service and price, even if they exercise their privacy rights; and to request that their data be deleted.
Regarding requests to delete data, CCPA says that the company has no obligation to delete information at the consumer's request in some situations. For example, in cases of legal obligations, detection of security incidents, and exercise of free speech.
The law also states that companies must respond promptly to requests for access to personal information. And they mustn’t charge for it.
“A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period”, says the CCPA.
CCPA non-compliance penalties
If a company is notified about a violation of the law, it has 30 days to fulfill the demand or there will be a fine of up to USD 7,500 for violation. In addition, the CCPA determines penalties for cases in which unauthorized access to information occurs, for data breach or theft, for example.
The law states that companies have an obligation to maintain security practices consistent with the importance of data, and civil action may be instituted in some circumstances, such as:
“To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”
And who will apply the law? The answer is: the California Attorney General will enforce the CCPA.
CCPA compliance tips
At some points in the law, there are guidelines on how companies can meet the requirements. In other words, the CCPA concerns not only with punishment and demands, but also with guidelines and awareness. Check it out:
A business shall “make available to consumers two or more designated methods for submitting requests for information”. It shall “disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer”. And, to identify the consumer, it shall “associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer”.
In fact, CCPA changes the way businesses that operate in California and their customers relate. It's a plus point for the law to require that companies have more responsibility and transparency, thus ensuring more rights for people. Actually, the whole world is moving in this direction.
The most interesting thing to note about CCPA, however, is the impact it will have. Other states in the United States are already moving to create regulation along the lines of the California law. We're probably talking about a domino effect. Perhaps, CCPA and other state laws end up having an influence on federal levels. It would be very nice if the United States created a general privacy and data protection law, wouldn't it?
CCPA in full
If you want to check out the full CCPA, click here.