Basics of the California Consumer Privacy Act of 2018
The California Consumer Privacy Act (CCPA) A.B. 375 has been described as the strictest user rights and data privacy law ever enacted in the United States. The move has been attributed to the privacy scandals associated with companies like Cambridge Analytica and Facebook.
Many say that pressure from industry lobbyist groups over potential job losses is what compelled legislators to pass the CCPA into law before deadline for the November vote.
Any businesses that have customers in California will have to modify their operations to comply with the stricter privacy laws and some could lose access to valuable consumer data as well.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. What is the CCPA
- 1.1. The GDPR and the CCPA
- 1.2. Lawmakers Push CCPA Into Law
- 2. Who the CCPA Applies to and Affects
- 3. How the CCPA Changes Things
- 3.1. Restricting Companies' Reliance on Consumer Data
- 3.2. Managing New Privacy Standards
- 4. Key Clauses and Components of the CCPA
- 4.1. Disclosure
- 4.2. More User Control for Consumers
- 4.3. Protection for Consumer Privacy
- 4.4. Being Non-discriminatory with Consumers
- 5. What are the penalties for not complying?
- 6. CCPA in Effect in 2020
What is the CCPA
The CCPA is a landmark consumer privacy law out of California that forces significant changes on businesses involved with personal data of California residents. The law especially affects those operating online. It was passed into law on June 28, 2018, and will come into effect at the start of 2020.
The legislative bill passed based on an initiative originally drafted by Californians for Consumer Privacy. A privacy ballot initiative with stricter standards was expected to be passed by California's voters in November if it wasn't taken up by state legislators beforehand.
The GDPR and the CCPA
The CCPA is centered on the principles of accountability, control, and transparency. It's also based on the new, comprehensive General Data Protection Regulation (GDPR) privacy law passed by the European Union. Like the GDPR, the CCPA is designed to give users more control of their personal data.
Some expect this act to better align the US with the strict EU privacy standards and set the stage for a new era of digital regulation over privacy rights.
The law can still be adjusted and edited until it goes into effect in 2020. The language of the bill is still subject to change because it was passed through the state legislature. Any measures signed off by California's Governor would still have to be approved unanimously by the Senate.
Lawmakers Push CCPA Into Law
If the law had been passed by the residents of California through a ballot measure, the language of the act would be immutable. However, backers of the initial initiative agreed to drop it and endorse the passage of the law after going through exhaustive negotiations led by internet providers.
Until the CCPA becomes enacted on Jan. 1, 2020, lobbyists, tech companies, and privacy advocates are each expected to attempt to influence regulation in their favor.
Who the CCPA Applies to and Affects
Any businesses marketing or collecting personal data on California residents are subject to this law.
The physical location of a business does not absolve it from complying with the CCPA.
The CCPA explicitly requires companies collecting or selling California consumers data to comply with the new regulations, regardless of where they are located. In addition, businesses generating over $50 million in annual revenue that sell at least 100,000 customer records and derive at least 50 percent of their annual revenue from consumers personal information must comply with the CCPA.
Technically, this privacy law only provides protections for California residents, but many expect the CCPA to have much broader implications.
Business owners and digital marketers operating in California will be held accountable for abiding by the new privacy standards and regulations required by the CCPA. The policy was negotiated primarily by network providers, technology start-ups, and Silicon Valley internet companies, and others affected by the potential changes.
How the CCPA Changes Things
The CCPA sets a broader definition for personal information, now including metrics like geolocation, personal identifiers, psychometric data, inferences about the consumers made by the company and internet browsing history.
The CCPA increases the penalties and fines on violations of existing laws as a way to hold businesses more accountable for privacy breaches and securing consumers' personal information. As a business owner, you can be found to be in violation of the new privacy law if you fail to implement and uphold reasonable security procedures.
This new act will allow California residents to bring their data to another service provider or to have it deleted. Businesses providing highly targeted advertising will have their income greatly affected as the new protections allow for far less precise data collection on individual customers.
Restricting Companies' Reliance on Consumer Data
The new CCPA requirements could create challenges for larger companies who already have established business models in the digital sector. Google, Twitter, Facebook and others generating revenue by targeting advertising through internet platforms may suffer considerably. Internet service providers like Verizon and AT&T that rely heavily on consumer data may also be negatively impacted as well.
These new privacy standards may also hurt data brokers who generate their primary income from selling consumer data to third parties. Any retailers or internet companies who deal with consumer data and have customers in California are likely to be affected by this new privacy law as well.
Managing New Privacy Standards
Companies with customers in-state and outside the state will now be faced with how to manage the different types of privacy laws. Companies will be left with two options: either reform their entire data protection and data rights infrastructures to comply with California's law or institute a patchwork data regime in which Californians are treated one way and everyone else another.
Either two different systems have to be maintained - one specifically tailored around the CCPA - or the entire system must be revamped to be in compliance with the CCPA.
It's recommended that you revamp your entire system so that other customers don't begin to take issue with companies affording Californians more protections than everyone else.
In fact, experts expect companies to adjust to the CPPA and provide all states with equal data protection, opposed to risking potentially alienating most their customers.
Key Clauses and Components of the CCPA
The CCPA explicitly guarantees California residents a series of rights concerning personal data collected online:
This new act has been described as a diluted GDPR bill tailored for the US, and if you're familiar with the GDPR you can likely see why already.
Customers in California must also be given the right to request a number of disclosures from a business with access to their personal data:
- The categories of information collected
- The categories of sources where it has been collected from
- The business or commercial purpose behind collecting or selling the information
- The categories of any third parties a business shares personal information with
- The specific pieces of information that have been collected about the requesting individual
If you do receive a personal information data request from a user, CCPA guidelines require it to be responded to in a timely manner, within 45 days. The CCPA allows users to make these disclosure requests two times per year.
More User Control for Consumers
The CCPA now provides consumers with the right to opt out. At any time, consumers have the right to direct a business to stop selling their personal information to third parties.
According to the CCPA, companies can now provide consumers age 16 and younger with the right to opt-in. However, in order to sell the information of someone age 13 or younger, you're still required to receive their permission from their parents or guardians.
Businesses are also required to ensure they are honoring consumers' requests to have their data completely deleted.
Protection for Consumer Privacy
Since the CCPA will allow users to sue companies over privacy losses caused by data breaches, securing customer information will be an even higher priority than ever before. In order to keep customer data safe, there should be regular audits, assessments of the systems used to manage data and some strategic approach to maximizing protection.
Being Non-discriminatory with Consumers
The CCPA prohibits businesses from discriminating against users who choose to exercise any of the consumer rights provided. The CCPA outlines a number of actions you could take that would be considered discriminatory against a consumer.
The CCPA does allow you to offer different qualities or prices of goods or services if its reasonably related to the value provided to the customer by their consumer data. Companies who do engage in altering their offers for access to consumer data could potentially expose themselves to customer backlash.
What are the penalties for not complying?
Since the CCPA is California legislation, penalties and enforcement for not complying are led by the Attorney General's office. If a business fails to cure alleged noncompliance within 30 days following notification from the state, you could be considered in violation and charged a civil penalty of up to $7,500 per violation.
Any business operating in California that isn't compliant with CCPA could face civil damages of up to $750 per violation, per user. While not a costly as the GDPR, sizable data breaches for companies with thousands of customers in California could quickly total up to around $1 million in CCPA fines.
The CCPA also allows consumers to file lawsuits for privacy losses without showing any evidentiary loss of property or money. Unlike traditional lawsuits, those filed for CCPA privacy violations do not need to be founded on proof of damages.
CCPA in Effect in 2020
When Jan.1, 2020, arrives, the California Attorney General will seek public participation in adopting more regulations to further CPPA. A great deal of the focus will center on ensuring that businesses are promoting consumer awareness about the ability to opt out of having their personal information sold.
Things to remember about the CPPA:
- Consumers have the right to access all the data a business collects about them
- Consumers can choose to not have their information sold to third parties
- Consumers can request that companies completely delete their personal data
- Consumers have the right to know which category of third parties their data was sold to
- Consumers have the right to know the reason for the data collection
- Enforcement is led by California's Attorney General
- Consumers can take legal action without proof of damages if they are subjected to a beach of privacy
Any business working with data involving consumers in California will benefit from learning more about the new privacy standards and how to adjust their data management and privacy practices accordingly.