According to a study from Pew Research, data privacy and security is now a concern of more than half of US adults, at the same time, respondents felt heir data was less secure than five years ago.
Consumers are more aware than they have ever been when it comes to data privacy, which has prompted new laws and regulations globally. In Europe, the General Data Protection Regulation (GDPR) presented strict guidelines on what an organization could and couldn’t do concerning the rights of consumer data. With a global economy, GDPR laid the groundwork for the acceptance of consumer privacy around the world.
In the US, the California Consumer Privacy Act (CCPA) was approved by the Governor of California on June 28, 2018, and came into effect on January 1, 2020. It’s the strongest consumer privacy protection regulation in the US.
To help you navigate the CCPA, here’s an overview of how it champions data privacy.
BUSINESSES AFFECTED BY CCPA
With a state population of almost 40 million and a net worth of more than $160,000 per resident, companies are scrambling to make sure they comply with the act.
The CCPA is similar to the GDPR in that companies servicing citizens must abide by the rules of the act in terms of handling personal data. The CCPA applies to any for-profit commercial entity that operates in California.
However, specific jurisdiction is left out, so this could be interpreted as any business regardless of location who handles data derived from a resident of the state of California. In other words, if you sell goods online and a California-based customer buys them, your business could be subject to the CCPA.
Where the GDPR is focused on any business regardless of size, the CCPA focuses on larger corporations. Criteria that determine regulatory compliance include:
- An organization must have gross revenues more than $25,000,000
- Buys or sells the personal data of 50,000+ California consumers, households, or devices, per year, OR
- Gets more than 50% of annual revenue from selling California consumers’ data
An organization can also come under the watch of CCPA if it’s owned by an entity meeting the criteria stated above.
DATA PRIVACY REGULATIONS COVERED BY CCPA
The CCPA is all about the respect and protection of the personal data of a consumer. Like the GDPR, the CCPA is about data linkability that could allow identification of an individual. The CCPA defines personal data as:
“information that identifies relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Household is not defined in the CCPA but is likely to be a physical address or data such as IP address that could be used to trace an individual to a physical address. The fact household is included, expands the protection to devices that represent a household, such as a smart meter or digital assistant.
When collecting personal data, an organization that comes under the rule of the CCPA must:
- Demonstrate which categories of personal information are being collected, and
- How the data will be used
The CCPA also has data subject rights, including:
- The right to erasure – such as data deletion on request. However, there are derogations under certain circumstances. For example, information that is necessary to provide the service, detect security incidents or fraud, etc.
- The right to access and portability – such as access to personal data handled by a company. The CCPA is granular in its approach to this data right. As such, a business must list the categories of personal data that it processes.
These rights must be adhered to within 45 days of the request being made.
In the GDPR, consent is a central pivot that has caused much of the discussion around the regulation. The CCPA also sets out rules that cover consent to process personal data. The CCPA, on consent, explicitly states that:
“Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.“
Like the GDPR, consent should always be opt-in.
FINES & PENALTIES UNDER CCPA
One of the areas that sent shivers down a compliance officer’s spine in the GDPR was the large fines for non-compliance.
In the CCPA, penalties for non-compliance are:
- $7,500 for an intentional violation of any provision, or
- $2,500 for unintentional violations
Very different from the massive fines set by the GDPR, the largest of which is 4% of gross annual revenue more than 20 million euros, whichever is higher.
Also, the CCPA allows the resolution of the violation within 30 days before action is taken against an organization.
From the fines, 20% is collected for a “Consumer Privacy Fund” to help with enforcement.
However, the sting may come in the fact the CCPA also has a clause that allows individuals to bring lawsuits if data is found to be “nonencrypted or nonredacted.” This allows for an individual to receive up to $750 per incident, with or without evidence. This clause has caused concern around class-action lawsuits, which would end up with costs well about the fine threshold.