The California Consumer Privacy Act (CCPA) comes into force on 1st January 2020. It is sometimes known as the US equivalent of the General Data Protection Regulation (GDPR), it provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.
CCPA’s impact will not just be felt by California based businesses but businesses worldwide who process personal data about Californian consumers who will need to consider their privacy practices. With 40 million Californian residents, making up 12 percent of the US population, it is likely that most big business wherever they are based will have to comply with the CCPA.
Like GDPR, CCPA is about giving people control over how their personal data is used by organisations. It requires transparency about how personal data is collected, used and shared. It gives Californian consumers various rights including the right to:
- Know and access the personal being collected about them
- Know whether their personal data is being sold, and to whom
- Opt out of having their personal data sold
- Have their personal data deleted upon request
- Avoid discrimination for exercising their rights
CCPA also includes a breach notification requirement like GDPR. A security breach involving personal data, must be notified to each individual it affects. It does not matter if the data is maintained in or outside of California.
Fines and Enforcement
Fines for breaches of CCPA include:
- $2,500 for unintentional and $7,500 for intentional violations of the Act. Legal action must be brought by the California Attorney General.
- $100-$750 per incident, per consumer- or actual damages, if higher – for damage caused by a data breach. Legal action may be brought by consumers.
A business shall only be in breach of the CCPA if it fails to cure any alleged violation within 30 days after being notified of the same.
While these fines may appear relatively low, it is important to keep in mind they are per violation. It is not uncommon for a privacy incident to affect thousands or tens of thousands of consumers, in which case these fines could reach the hundreds of thousands or millions of dollars.
A Federal Privacy Law?
CCPA represents the first real, comprehensive privacy legislation in the U.S. It will, no doubt, form the foundation for other state privacy regulations in the future, and quite possibly a U.S federal privacy regulation. Nevada residents also now have more control over how their personal information is used. Senate Bill 220 went into law recently, giving consumers more ability to keep websites from selling their information to third-party firms. Proactive businesses are already considering CCPA as a de facto US privacy law. Recently Microsoft announced that it will apply the main CCPA rights to all its customers in the U.S.
CCPA will not just have a big impact on US businesses. UK and EU companies doing business in the States also need to understand it provisions and implications. Ibrahim Hasan will be speaking about this topic when he addresses the NAPCP Commercial Card and Payment Conference in Las Vegas in April 2020.
CCPA and GDPR
CCPA is often compared to the GDPR. Both laws give individuals rights to access and delete their personal information, require transparency about information use and necessitate contracts between businesses and their service providers. In some respects, however, the CCPA does not go as far as GDPR. For example, it does not require businesses to have a legal basis for processing personal data (Article 6 of GDPR), there are no restrictions on international transfers and no requirement to appoint a data protection officer. To learn more about the differences, have a look at this comparison chart produced by BakerHostetler LLP.
NEW CCPA Workshops
Our forthcoming CCPA workshops (in the UK and US) will cover the main obligations and rights in CCPA and practical steps to compliance. They are ideal for data protection officers and advisers in UK and US businesses.