The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is legislation designed to protect the digital privacy and consumer rights of residents of the State of California. It has often been compared to Europe’s GDPR, with some justification.
Ordinarily, state-level legislation wouldn’t make national, let alone international, headlines. But California is no ordinary state: Its domestic economy produces a staggering $3 trillion per year. To put that in perspective, if California were a country, it would have the fifth largest economy in the world, falling between Germany and the United Kingdom.
Since California does so much business with the rest of the world, companies in the United States and abroad are scrambling to make sure that they are in compliance with the law before it comes into effect in January 2020.
In this brief article, we’ll explain the major provisions of the law, and we’ll let you know what experts are advising businesses to do in order to comply (and avoid penalties and fines).
Legal Disclaimer: This article is for news and information purposes only, and is not intended to take the place of professional legal advice. If you or your company require detailed advice about CCPA compliance, you should consult your attorney or legal advisors.
What does the CCPA protect?
The CCPA is designed to protect both digital privacy and consumer rights. It is largely a response to the trend of companies collecting and reselling personal information for commercial purposes (at the expense of consumers’ privacy).
Broadly speaking, the CCPA guarantees the rights of California residents to:
- Know if their personal data is being collected (and what the data is)
- Know if their personal data is being sold (and to whom)
- Access their personal data
- Demand deletion of stored personal data and/or prohibit its sale
The CCPA also contains provisions which prohibit price discrimination if consumers exercise their rights guaranteed under the new law.
What does the CCPA require?
In order to comply with the new law, companies which collect data on California residents must do several things.
First, they must give Californians a chance to opt out of the sale of their data via a homepage link stating “Do Not Sell My Personal Information”. The link should direct site visitors to some sort of opt-out form or a method of conveying the opt-out request. Users who opt out of the sale of their personal information are allowed to opt back in at any time.
Second, companies must provide some means of requesting access to or deletion of personal data. The minimum requirement here is a toll-free phone number (unless business is conducted wholly online, in which case an email or web contact is sufficient) as well as a second means of making the request, such as a web form, email address or postal mail address. Requests must be processed within 45 days of receipt. Requests for information on the nature and use of personal data collected by the company are to be delivered in the form of a report covering the previous 12 months. A consumer may make this request only twice within a 12 month period.
Third, companies must update their website privacy policies to inform California residents of their rights under the new law.
The CCPA also requires parental consent for data sharing if a site’s user is a minor under the age of 13.
Lastly, the act requires companies take “reasonable” security measures to prevent consumers from being affected by data breaches.
Which companies must comply?
The CCPA applies to for-profit companies which meet any of the following three tests:
- The company earns more than 50% of its yearly revenue by selling the personal information of consumers
- The company stores the personal information of more than 50,000 individuals, households, or devices
- The company has an annual gross revenue of over $25 million
Note that this law applies to businesses based outside of California with customers in California, not only California-based businesses.
What are the penalties for non-compliance?
Companies found to be in intentional violation of the law may be fined by the California Attorney General up to $7,500 per violation. If a business is found to have unintentionally violated the law, they can be penalized with a fine of up to $2,500 per violation. In addition, in the event of a data breach of non-encrypted information, individual consumers may sue for damages of between $100 and $750 per incident.
What should companies do to get ready?
The CCPA is a fairly complex law which has gone through multiple revisions. It is also, in the opinion of some experts, unclear in places, and there are still certain elements, like the proposed regulations drafted by the Attorney General, that have yet to be finalized. So the first step for any company concerned about compliance should be to contact their legal team or advisors and visit the information portal for the law set up by the Office of the Attorney General of California.
The law’s main focus is clearly information and consent, so companies should adhere to the guidelines regarding disclosures, opt-out links, information and deletion request channels, and privacy notices. They’ll also need to come up with a strategy to obtain the parental consent of underage users, if they have any. In all of this, companies should take into account web accessibility issues (which is something that their web developers should be doing anyway), which are likely to become part of the regulations of the CCPA.
Beyond this, companies should consider the practicalities of how they will actually handle deletion and information requests. They should, at a minimum, have some sort of internal procedure in place to process information, opt-out, or deletion requests in a timely fashion. Part of this will entail having a good sense of exactly how and where to find the different kinds of information which must be included in any report to a customer, or which must be deleted. It may be necessary to do some organizational work and create some documentation for this purpose. In addition, companies should also consider whether to offer the same opt-out provisions to all consumers and not just California residents, since it appears that a patchwork of privacy laws will be sprouting up across the country.
While companies are hopefully already following best practices to prevent a data breach, they may want to conduct a thorough review of their security protocols with their IT staff in order to make sure they meet the “reasonable precautions” standard required by the CCPA.
It’s anyone’s guess how strictly the law will be enforced after it comes into effect in January, or how vigorously California will prosecute violators. But one thing is certain: The CCPA is an extremely important piece of legislation which may provide the legal framework for future federal data privacy laws — perhaps even a U.S. version of the GDPR.