California Consumer Privacy Act (CCPA)

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a bill (AB 375) that was passed in June 2018 which provides similar consumer protections for California as the GDPR does for Europe. CCPA goes into effect on January 1, 2020.

The CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.

Currently, there is an surface-level interest in CCPA, where everybody wants to be compliant, a desire for a deeper level of understanding remains to be seen from advertising companies, whether it be due to fear or a mindset that “This is practically the same thing as GDPR except for California”.

Which Companies are affected by CCPA?

• Any company that serves California residents with at least $25 million in annual revenue
• Any company that has personal data on at least 50,000 people
• Any company that collects more than half of its annual revenue from the sale of data

Note that companies don’t have to be based in California to have to abide by CCPA. This is similar to how an NYC based company must abide by GDPR if it serves European consumers.

What Data Does The CCPA Cover?

According to csoonline.com, CPA covers:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
• Characteristics of protected classifications under California or federal law
• Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
• Biometric information
• Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
• Geolocation data
• Audio, electronic, visual, thermal, olfactory or similar information
• Professional or employment-related information
• Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
• Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

Consumer Rights Under CCPA

• Consumers can request that companies do not share their data with third-party companies
• A company has 45 days from the time of the request to provide a consumer a comprehensive report about what type of information they have, if it was sold, and to whom.
• Companies must have a clearly visible footer on websites that offer consumers the option to opt out of data sharing (AKA the “Do Not Sell My Data” button.)

Penalties for Non-Compliance

• Once a company is notified of a violation, they have 30 days to comply or they will face a fine of up to $7,500 per record. This could be a substantial amount of money considering the vast number of records that companies typically have.
• AB 375 allows for penalties for the great of of the $100 to $750 per incident or actual damages.

CCPA’s Effects On Other States and Companies’ Policies

According to Gary Kibel, partner at Davis & Gilbert, LLP, “More than a dozen states either have new data protection regulations on the books or in committee, from Nevada, Maine, Pennsylvania and Connecticut to Massachusetts, New Jersey, Illinois and Maryland”.

Many of these states will follow California’s lead and implement some sort of data protection regulation to protect its residents. It will be interesting to see if a federal law will ever be passed that will require CCPA-like data regulations to be applied across the entire United States.

A likely strategy for companies starting January 1, 2020 is to simply start complying with CCPA in all states, not just California. This will allow for them to abide by CCPA’s rules and preemptively prepare for other state data regulations that will likely follow suit. This will not only proactively prepare companies for what is likely to come, but it will also simplify its strategy by having one nationwide data policy instead of splitting up its data policy by state.

Sources

• https://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
• https://digiday.com/marketing/wait-see-mode-ana-conference-marketers-feel-uncertainty-looming-ccpa-regulation/
• https://adexchanger.com/privacy/everything-you-need-to-know-about-ccpa-for-now/
• https://adexchanger.com/privacy/california-isnt-the-only-state-getting-busy-with-new-privacy-laws/

I have no special talent. I am only passionately curious.

– Albert Einstein