The California Consumer Privacy Act

Golden Gate, San Francisco, California, USA.

The California Consumer Privacy Act (CCPA) comes into force on 1st January 2020. It is sometimes known as the US equivalent of the General Data Protection Regulation (GDPR), it provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

CCPA’s impact will not just be felt by California based businesses but businesses worldwide who process personal data about Californian consumers who will need to consider their privacy practices. With 40 million Californian residents, making up 12 percent of the US population, it is likely that most big business wherever they are based will have to comply with the CCPA.

Like GDPR, CCPA is about giving people control over how their personal data is used by organisations. It requires transparency about how personal data is collected, used and shared. It gives Californian consumers various rights including the right to:

  • Know and access the personal being collected about them
  • Know whether their personal data is being sold, and to whom
  • Opt out of having their personal data sold
  • Have their personal data deleted upon request
  • Avoid discrimination for exercising their rights

CCPA also includes a breach notification requirement like GDPR. A security breach involving personal data, must be notified to each individual it affects. It does not matter if the data is maintained in or outside of California.

Fines and Enforcement

Fines for breaches of CCPA include:

  • $2,500 for unintentional and $7,500 for intentional violations of the Act. Legal action must be brought by the California Attorney General.
  • $100-$750 per incident, per consumer- or actual damages, if higher – for damage caused by a data breach. Legal action may be brought by consumers.

A business shall only be in breach of the CCPA if it fails to cure any alleged violation within 30 days after being notified of the same.

While these fines may appear relatively low, it is important to keep in mind they are per violation. It is not uncommon for a privacy incident to affect thousands or tens of thousands of consumers, in which case these fines could reach the hundreds of thousands or millions of dollars.

A Federal Privacy Law?

CCPA represents the first real, comprehensive privacy legislation in the U.S. It will, no doubt, form the foundation for other state privacy regulations in the future, and quite possibly a U.S federal privacy regulation. Nevada residents also now have more control over how their personal information is used. Senate Bill 220 went into law recently, giving consumers more ability to keep websites from selling their information to third-party firms. Proactive businesses are already considering CCPA as a de facto US privacy law. Recently Microsoft announced that it will apply the main CCPA rights to all its customers in the U.S.

CCPA will not just have a big impact on US businesses. UK and EU companies doing business in the States also need to understand it provisions and implications. Ibrahim Hasan will be speaking about this topic when he addresses the NAPCP Commercial Card and Payment Conference in Las Vegas in April 2020.


CCPA is often compared to the GDPR.  Both laws give individuals rights to access and delete their personal information, require transparency about information use and necessitate contracts between businesses and their service providers. In some respects, however, the CCPA does not go as far as GDPR. For example, it does not require businesses to have a legal basis for processing personal data (Article 6 of GDPR), there are no restrictions on international transfers and no requirement to appoint a data protection officer. To learn more about the differences, have a look at this comparison chart produced by BakerHostetler LLP.

NEW CCPA Workshops

Our forthcoming CCPA workshops (in the UK and US) will cover the main obligations and rights in CCPA and practical steps to compliance. They are ideal for data protection officers and advisers in UK and US businesses.

Viva Las Vegas

Welcome to fabulous Las Vegas sign

Act Now is pleased to announce that Ibrahim Hasan has accepted an invitation to address the 21st Annual NAPCP Commercial Card and Payment Conference in Las Vegas, April 6-9 2020.

high_rez_NAPCP all black with url

The NAPCP is a membership-based professional association committed to advancing Commercial Card and Payment professionals and industry practices globally, with timely research and resources, peer networking and events serving a community of almost 20,000 individuals worldwide. The NAPCP is a respected voice in the industry and an impartial resource for members at all experience levels in the public and private sectors.

In a session entitled “Complying with the GDPR and United States Privacy Legislation” Ibrahim will examine the impact of GDPR and the California Consumer Privacy Act (CCPA) on the Payment Card industry. He will also be presenting webinars pre and post conference on these subjects to the NAPCP community.

The NAPCP Annual Conference is the can’t-miss event for the industry, bringing together 600 professionals from around the world to share perspectives on all Commercial Card and Payment vehicles, including Purchasing Card, Travel Card, Fleet Card, Ghost Card, Declining Balance Card, ePayables and other electronic payment options. Experts and practitioners share case studies, successes and thought-provoking ideas in almost 80 breakout sessions, all with an eye for trends and innovation across sectors.

Diane McGuire, CPCP, MBA, Managing Director of the NACP, said:

“I am really pleased that Ibrahim has accepted our invitation to join us in Las Vegas. As legislators and governments globally are starting to wake up to the implications of the digital revolution on individuals’ rights, our conference delegates will benefit from his GDPR and privacy expertise in what is sure to be a thought-provoking session.”

This is one of a number of international projects that Act Now has worked on in recent years. In June 2018 we delivered a GDPR workshop in Dubai for Middle East businesses and their advisers. In 2015 Ibrahim went to Brunei to conduct data protection audit training for government staff.

Ibrahim Hasan said:

“I am really pleased to address the NACP conference in Las Vegas. Our GDPR expertise is now being recognised abroad. The United States is the latest addition to our increasing international portfolio. We hope to use the conference as a platform to showcase our expertise to the US Data Controllers.”

Regular registration is now open for the event. Head over to this link to confirm registration.

NAPCPConferenceLogo_2020-high rez

Act Now’s forthcoming live and interactive CCPA webinar will cover the main obligations and rights in CCPA and practical steps to compliance. This webinar is ideal for data protection officers and advisers in UK and US businesses.

FOI Reflections Series Part 1: When is an FOI request not an FOI request?


During a recent FOI A-Z course a delegate asked me what seemed like the simplest of questions: “How do we know whether something is business as usual, or an FOI request”? Naturally enough that gave rise to an interesting short discussion in which delegates expressed different views based on their practice and organisational policies. What became clear though, was that this seemingly simple question is anything but. So, how do organisations and practitioners know whether something is ‘business as usual’ or an FOI request?

Before attempting to answer this question, it is important to remind ourselves what a valid request under the Act looks like. S. 8 of the Freedom of Information Act (FOI) states that a request for information under the Act must:

  • Be in writing (this must be legible and can include electronic communication)
  • State the name of the applicant and the address for correspondence
  • Describe the information requested

This means that there is a degree of legal formality about an FOI request, particularly the need for it to be in writing. However, as the ICO guidance notes, this is not a hard test to satisfy and “almost anything in writing which asks for information will count as a request under the Act”.  So far so good. On this logic any communication in writing, that includes a request for information, is to be regarded as a request under the Act and must be dealt with accordingly.

Requestors do not need to mention the Act or even direct their request to a designated FOI practitioner or team. Of course, where a requestor specifically mentions the Act this makes life easier and the request should be dealt with as an FOI request.

Responding to FOIA requests: Section 1

 S.1 states that on receipt of a valid FOI request public authorities must do two things:

  • First, they must provide a written response which either confirms or denies that they hold the information (the duty to confirm or deny) (S. 1(a)); and
  • They must communicate the information to the applicant (unless any exemption(s) apply). It is useful to point out that the Act does not require that the communication is in writing, albeit this is most likely particularly when requests are made by email/letter. However, S. 1(b) does allow for the oral communication of information.

However, what is perhaps less well known is that S.1(5) states that a public authority is deemed to have complied with (1)(a) where it has communicated the information to the applicant under 1(b). For instance, if a public authority receives an email request for a standard piece of information and it replies with an email attachment, or phones the applicant and tells them the information, then they are deemed to have complied with their duty to confirm or deny, without actually formally using these words. But this would still be a request under the Act and ought to be recorded as such.

So what is the problem?

The difficulty arises, in part, because of the advice given in the various guidance from the Information Commissioner’s Office and the revised S. 45 Code of Practice (see our blog on this code here which both suggest that there are some circumstances where, despite the validity of a request, it may be more appropriate to deal with it outside of the Act.

  • The Code of Practice advises that, “information given out as part of routine business, for example, standard responses to general enquiries” does not need to be dealt with under the Act.
  • The ICO Guide states that, “It will often be most sensible and provide better customer service to deal with it as a normal customer enquiry under your usual customer service procedures”. The ICO offers two examples of a normal customer enquiry; where a member of the public wants to know what date their rubbish will be collected, or whether a school has a space for their child. The ICO’s corresponding Flowchart refers to these as requests ‘in the normal course of business’.
  • The ICO’s Guidance on Recognising a Request under the FOA states that If the requested information can be quickly and easily sent to the requester then it may be better dealt with in ‘the normal course of business’; for example, a request for a current leaflet.
  • The ICO Guide elaborates by saying that the provisions of the Act only need to come into force if a public authority “cannot provide the requested information straight away” or the requestor “makes it clear that they expect the request to be dealt with under the Act”.

All the above appear to suggest that public authorities have a degree of discretion in deciding whether a seemingly valid request for information should be treated as a formal request under the Act or whether it can simply provide the information without going through the formalities of the Act.

Little wonder then that FOI practitioners struggle and ask the seemingly simple question that prompted this blog! In response I would offer the following thoughts, which may be useful to bear in mind when contemplating whether a request is an FOI request or not:

  1. The Act is legally binding, and it states that valid requests (defined in S.8) must be dealt with as requests under the Act. The guidance is not legally binding and has no legal authority.
  2. The formalities of the Act are not onerous in circumstances where a public authority is not applying an exemption. Remember, S.1 (5) states that by communicating the information to the applicant you are deemed to have complied with your duty to confirm or deny that you hold the information.
  3. The revised Code of Practice recommends that all public authorities with more than 100 full time equivalent employees publish their FOI compliance statistics on their publication schemes on a quarterly basis.
  4. FOI practitioners frequently say that they are under resourced and heavily burdened. Recording all request for information as requests under the Act (as opposed to disclosing informally) will help provide a truer reflection of the volume of request made to public authorities.

Once we know what an FOI request is, the next question is who can make a request? What about Spiderman? The answer is here.

We have a series of FOI workshops covering the basics as well as more advanced topics such as exemptions. Our FOI Practitioner Certificate is popular with FOI officers seeking a formal qualification. Our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch if you would like a no obligation quote.

The Scottish Information Commissioner’s Annual (FOISA) Report

Scotland Edinburgh Calton Hill

The Scottish Information Commissioner, Daren Fitzhenry, recently published his  annual report  for 2018/19.  Mr Fitzhenry enforces the Freedom of Information (Scotland) Act 2002  (FOISA) as well as the Environmental Information (Scotland) Regulations 2004 

According to the report, Scottish public bodies are receiving record numbers of FOISA requests83,963 requests were reported by them in the year 2018/19a rise of 8% on the year before. Three quarters of these requests led to a full or partial release of information.  

The number of appeals made to the Scottish Information Commissioner also increased; by 10% to 560still just 0.7% of all requests made. Just under two thirds of the Commissioner’s appeal decisions (64%) were either fully or partially in favour of the requester. 

Scottish public authorities must respond promptly to FOISA requests and no later than 20 working days. However, the report shows that they are are increasingly failing to comply with this requirement.  The number of times an authority failed to respond to an FOI request rose from 601 in 2017/8 to 940 in 2018/1926% of valid appeals to the Commissioner were about an authority’s failure to respond. 

The Commissioner has responded to this failure to comply with the FOISA time limits by making more than 250 interventions over the course of the year. A third (33%) of his basic interventions investigated authorities’ compliance with statutory timescales. Often these failures can be indications of other fundamental problems, such as FOISA management and culture issues, staff absences or procedures not working well.  

A poll of Scottish adults, conducted in May 2019found disappointing levels of confidence in public bodies’ ability to respond to requests, which were much lower than the actual performance in practice. 57% of those surveyed were “very” or “fairly confident” they would receive a response from a request to information from a public body. 38% were “not very” or “not at all confident” they would receive a response. Any increases in authorities’ failures to respond are likely to feed this perception. 

FOISA requires authorities to publish information as well as respond to requests. According to the above mentioned poll, 9 in 10 people in Scotland thought it was important for public bodies to publish information about the reasons for the decisions they make, information about contracts with other organisations and information about how they spend their money. 

The Commissioner is using the opportunity of his annual report to emphasise the need for authorities to do more to improve their FOISA compliance. He said on his website: 

“We are seeing increasing numbers of information requests being made to Scottish public authorities. 

While many are performing well, there has been a concerning increase in failures to respond to requests for information on time.  Such failures impact on people’s perception of both freedom of information and the authorities themselves.  

Freedom of Information brings significant benefits to authorities who comply with it. Public bodies improving their Freedom of Information practice will make a real difference not only to the requester’s experience but also to the authorities themselves.” 

It’s going to be a busy year ahead for FOISA. The Scottish Parliament’s is due to complete its post-legislative scrutiny of the Act soon. This may lead to legislative changes. From  11 November 2019, registered social landlords (RSLs) in Scotland will become subject to FOISA. 

Act Now has a full programme of FOISA workshops in  Scotland. If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our  FOISA Practitioner Certificate is ideal. Read a successful candidate’s observations.

European Data Protection Summit: Act Now Announces Winners of Free Tickets

DPWF Signed copy

Act Now is pleased to announce the winners of the 5 free delegate tickets for the European Data Protection Summit taking place in Manchester on 13th and 14th November 2019. We are sponsoring this two day event which will deliver  top-level strategic content, insights, networking, and discussion around data protection, privacy and security. In addition to leading content, tickets will include refreshments, lunch and access to exclusive post-event content.

Congratulations to:

  1. Jamie Burton of Wythenshawe Community Housing Group
  2. Kathy Fleming of The Lead Agency
  3. Sam License of National Institute for Health and Care Excellence
  4. Matt Stephenson of University of Bradford
  5. Jacqueline Gillanders of HEFSTIS

All the winners will receive an e mail giving details of how they can book their free place.

Thank you to all of those who expressed an interest.

We will be exhibiting at this event. Come and say hello on our stand and talk to us about our range of  GDPR Update Workshops,  E learning and Certificate Courses (Oh and collect some freebies!)

%d bloggers like this: