January 6, 2020 Faith Kubicki
What is the California Consumer Privacy Act (CCPA)? Your Guide to the United States’ New Privacy Law & Compliance Requirements for 2020
In June 2018, California passed the California Consumer Privacy Act – otherwise known as the CCPA, or Assembly Bill 375. This law is often compared to the European Union’s General Data Protection Regulation (GDPR): one of the first major regulations on the collection and sale of personally identifying consumer data.
The California Consumer Privacy Act is now effective – although many companies still have concerns about what the regulations cover; much less how to become compliant. Enforcement is likely to begin in July 2020, allowing companies to modify their policies and procedures in accordance with the law.
What is the California Consumer Privacy Act?
The CCPA establishes consumer privacy protections based on principles of notice, access, and consent. Anything that can be considered personally identifiable information – such as a person’s name, IP address, email address, social security number, employment and education data, driver’s license or passport, internet search history, personal property records, and more – is covered under the law. (The legislation even includes information that can be traced to a single household, if not the individual consumer.)
The core aspects of the California Consumer Privacy Act include:
Consumer Right to Know
Under the new California privacy law, consumers have the right to know how their data is collected and used. They can request a copy of any personal data that a company has collected on them, as well as the names and addresses of any third parties that this data has been shared with. Companies have 45 days to produce a copy of this information, and the request must be processed free of charge.
Consumer Opt-Out from the Sale of Personal Information
The California privacy law also allows consumers to opt out of the collection and sale of their personal data. (For the purposes of this law, “sale” also includes renting, disclosing, or verbally communicating, even outside of a monetary transaction.) Once a consumer has opted out, the company must wait a minimum of 12 months before re-seeking permission to collect their data.
Protections for Minors
Companies must explicitly request permission to collect and sell information from minors. Those between the ages of 13 and 16 must opt in for data collection, while those between the ages of 16 and 18 must have the right to opt out. Companies must obtain permission from a minor’s guardian to sell the minor’s information.
Non-Discrimination for Exercise of Consumer Rights
The California consumer protection act provides protections for consumers who exercise their right to privacy. Businesses cannot refuse to sell goods or provide services to consumers who opt out of data collection, and they cannot charge higher prices or provide lower-quality goods to consumers who do so.
Other CCPA Regulations
CCPA regulations allow consumers to sue companies that do not comply with the law – even if the consumer’s data has not been involved in a breach. (Under the California Consumer Privacy Act, a breach is defined as “unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information”.)
CCPA Vs. GDPR
There is considerable overlap between the CCPA and GDPR. However, compared to the General Data Protection Regulation, the California Consumer Privacy Act takes a broader view as to what constitutes personal data.
GDPR, on the other hand, has more stringent requirements – such as a 72-hour window in which a company must report a data breach, and the option for consumers to correct discrepancies in their data. While GDPR compliance does not automatically indicate CCPA compliance, companies that have already taken steps towards becoming GDPR-compliant may have a head start on becoming CCPA-compliant as well.
Who is Required to Comply With the California Consumer Privacy Act?
Any company that does business with California residents and has more than 25 million in annual revenue is considered a “covered business” and must comply with the CCPA – no matter their industry, size, or location. This includes companies that are headquartered outside of the United States. (Non-profits are excluded from the law.)
Companies that have collected personal data from more than 50,000 people or data brokers that obtain more than half of their revenue from the sale of personal data must also comply.
CCPA Exemptions & Amendments
To reduce the burden of CCPA compliance, legislators introduced several amendments once the initial bill was passed. These amendments include:
- AB 25, which provides a one-year exemption for data collected for employment purposes
- AB 1564, which permits businesses to offer email (rather than a phone number and physical address) as the primary method of contact for consumer requests
- AB 1355, which provides a one-year exemption for B2B communications
What are the Penalties for CCPA Non-Compliance?
If a company violates the California Consumer Privacy Act, they have 30 days from the time that they are notified to address the issue before they can be held financially liable. Non-compliance can carry fines of up to $2,500 per incidental violation and up to $7,500 per intentional violation. The California Attorney General is responsible for levying these non-compliance fines.
Consumers can also pursue damages directly from a company that failed to protect their data under the California privacy law. If they believe their privacy rights have been violated, they must provide written notice directly to the company. If the issue is not addressed within 30 days, the individual can bring a class action suit. CCPA regulations allow for statutory damages of up to $750 per consumer, per incident, or actual damages – whichever is greater.
While the 2020 California Consumer Privacy Act does include certain specific requirements, there is not currently an industry-standard framework for becoming CCPA-compliant. The changes you’ll need to make depend on the policies and procedures you already have in place, as well as the other regulatory requirements that apply to your business.
Ready to learn more about the things you’ll need to consider, and what you need to know about about this new compliance requirement? Read part two of this series here.
This article is for general informational purposes only and does not constitute legal advice and should not be acted upon as such. Please contact an attorney to obtain advice on any specific legal issues.