The California Consumer Privacy Act (CCPA) becomes fully enforceable on 1st July 2020. The Act regulates the processing of California consumers’ personal data, regardless of where a company is located. CCPA provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.
Like the EU General Data Protection Regulation (GDPR), CCPA is about giving individuals control over how their personal data is used by organisations. It requires transparency about how such data is collected, used and shared. It gives Californian consumers various rights including the right to:
- Know and access the personal being collected about them
- Know whether their personal data is being sold, and to whom
- Opt out of having their personal data sold
- Have their personal data deleted upon request
- Avoid discrimination for exercising their rights
CCPA also requires that a security breach involving personal data, must be notified to each individual it affects. It does not matter if the data is maintained in or outside of California.
CCPA is often called the US equivalent of the EU General Data Protection Regulation (GDPR). Both laws give individuals rights to access and delete their personal information. They require organisations to be transparent about information use and necessitate contracts between businesses and their service providers. In some respects, however, the CCPA does not go as far as GDPR. For example, it only applies to for profit entities, it does not require a legal basis for processing personal data (like Article 6 of GDPR), there are no restrictions on international transfers and no requirement to appoint a data protection officer.
Unlike GDPR, CCPA does not have a regulator like the Information Commissioner in the UK. It is primality enforced by the California Attorney General (AG) through the courts; although there is a private right of right action for a security breach. The courts can impose fines for breaches of CCPA depending on the nature of the breach:
- $2,500 for an unintentional and $7,500 for an intentional breach
- $100-$750 per incident per consumer, or actual damages, if higher – for damage caused by a security breach
A business shall only be in breach of the CCPA if it fails to cure any alleged breach within 30 days after being notified of the same.
The AG has now published the final proposed CCPA Regulations. These have to be read alongside the Act. The accompanying Final Statement of Reasons provides some interesting insights into the AG’s views and potential positions on certain issues.
While the CCPA fines and damages may appear relatively low, it is important to note that they are per breach. A privacy incident can affect thousands or tens of thousands of consumers, in which case it could cost a company hundreds of thousands or even millions of dollars.
Two big US companies, Hanna Andersson and Salesforce, are already facing a class action lawsuit alleging CCPA violations. Both suffered a data breach that compromised the names, addresses, and credit card information of over 10,000 California residents, which were then sold on the dark web. The lawsuit claims the companies failed to protect consumer data, provide adequate security measures, safeguard their systems from attackers, and delayed notification of the breach.
During the coronavirus pandemic there has been an increased use of video chat and conferencing apps to stay connected. Both Zoom and Houseparty have class actions claiming that they failed to obtain consent from customers for the disclosure of their personal information to third parties like Facebook.
There is more to come! The California State Assembly held a hearing on 12th June 2020 on the California Privacy Rights Act (CPRA) ballot initiative. Californians for Consumer Privacy, an advocacy group and the proponent of the 2018 ballot initiative that led to the enactment of the CCPA, has gathered more than 900,000 signatures to place the CPRA on the ballot in November of 2020. This is now looking very likely after Friday’s California Superior Court ruling although a deal could be struck to amend the CCPA in exchange for withdrawing the ballot initiative.
The CPRA (or an amendment to the CCPA) will further expand privacy rights of California consumers as well as compliance obligations of businesses, their service providers and contractors. It will, among other things, permit consumers to (1) prevent businesses from sharing (in addition to selling) their personal data; (2) correct inaccurate personal data about them; and (3) limit businesses’ use of “sensitive personal information,” known as Special Category Data under GDPR. This includes information about their race, ethnicity, religion, union membership and biometric data. The proposed law will prohibit businesses from collecting and using personal information for purposes incompatible with the disclosed purposes, and from retaining personal information longer than reasonably necessary. Readers with knowledge of GDPR will agree that this new law is even more like GDPR than the CCPA.
The CPRA will also establish a new California Privacy Protection Agency which will be tasked with enforcing and implementing consumer privacy laws and imposing administrative fines. If enacted CPRA will become operative on 1st January 2023 although its obligations would only apply to personal data collected after 1st January 2022.
A Federal Privacy Law?
CCPA represents the first real, comprehensive privacy legislation in the U.S. It will, no doubt, form the foundation for other state privacy regulations in the future, and quite possibly a U.S federal privacy regulation. Nevada residents also now have more control over how their personal information is used. Senate Bill 220 went into law recently, giving consumers more ability to keep websites from selling their information to third-party firms. Proactive businesses are already considering CCPA as a de facto US privacy law. Recently Microsoft announced that it will apply the main CCPA rights to all its customers in the U.S.
CCPA’s impact will not just be felt by California based businesses. Any business which processes personal data about Californian consumers needs to revaluate its privacy practices. With 40 million Californian residents, making up 12 percent of the US population, it is likely that most big business wherever they are based will have to comply with the CCPA. With substantial fines and penalties for breaches and a 6 month ‘look back’ period, now is the time to implement CCPA compliance measures.
Act Now has launched a US privacy programme covering every thing US and international business need to know about CCPA and GDPR.