Explaining the California Consumer Privacy Act
In late June, 2018, California passed a Consumer Privacy Act (CCPA), AB 375, that went into effect January 1, 2020. This was passed after the European Union’s own privacy law called the General Data Protection Regulation (GDPR) that went into effect this past spring.
What is CCPA, and how does it differ from GDPR?
CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. AB 375 also lets Californians ask companies to delete their data and not to sell it. To put it differently, California’s law protects consumers by allowing customers much greater access to their records. As a result, most companies are going to have trouble pulling that information together because cross-silo file management has become a major challenge to deal with; data is contained in multiple storage platforms and in different file times, making it harder to obtain. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach. For the first time, the bill not only provides an individual the right to sue, but it also allows class action lawsuits for damages. The law specifies that companies must have a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue. Consumers can also sue if they cannot find out how their information has been collected or get copies of that information.
The California law, however, does not have some of GDPR’s most onerous requirements, such as the narrow 72-hour window in which a company must report a breach. CCPA assigns specific penalties should unauthorized access occur, whether through a breach, exfiltration, theft, or “disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” It allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater. This plus all the other breach related costs — IT response, forensics and recovery, legal, notification, and so on — could push a breach into the realm of an existential threat to many businesses. Unlike the GDPR, the CCPA law defines penalties for companies that expose consumer data due to a breach or security lapse. However, businesses are not required to report breaches under AB 375, and consumers must file complaints before fines are possible.
Who does the CCPA effect?
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law. Companies don’t have to be based in California or have a physical presence there to be affected by CCPA; as a matter of fact, they don’t even have to be based in the United States.
Companies must have had their data tracking systems in place by the start of 2019, because AB 375 gives consumers the right to request all the data a company has collected on them over the previous 12 months. After the access request from a consumer, a company has 45 days to provide them a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months, it must give the names and addresses of the third parties the data is sold to. If unable to do so, companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record.
A company cannot refuse users equal service, but it can offer incentives to users who provide personal information. This gives them the ability to offer discounts to people who are willing to have their data shared or sold to third parties (this provision might be subject to change). If the consumer exercises his rights under the regulation, businesses cannot provide a different level or quality of product, goods or services to the consumer. However, businesses are not prohibited from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
What AB 375 considers “personal information”:
The California law takes a broader approach to what constitutes sensitive data than the GDPR. Personal information includes:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Marital status, sexual orientation, status as a member of the military or veteran
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act
- Biometric information
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
The California Privacy Act was put together in just seven days because legislators wanted to avoid passing an even stricter law; therefore, amendments after implementation in the law can be expected. The core tenets and rights are likely to remain, however.
By Adam Higelin
Adam Higelin is a University of California, Berkeley graduate with a BA degree in Integrative Biology. He is a passionate writer with a love for the environment, botany and music. A special focus on research based, scientific writing has allowed Adam to pursue his dream of educating and inspiring people to better themselves and the lives of others.