In June 2018, California legislators passed the California Consumer Privacy Act (CCPA), a ballot quickly replaced by a bill that was drafted and passed into law in the span of a week. This will create a number of challenges for companies to navigate the intricacies of the law and successfully comply with it. However, it will also open the door for companies to become advanced in strong data governance and ethics solutions – honoring consumers’ choices will be a strong display of transparency and trust.
Introduction to CCPA: what’s behind these four letters?
The CCPA, which came into effect on January 1st 2020, is a bill meant to drive California residents’ attention to the personal information that companies collect from them as well as how it winds up in other companies’ possessions – effectively protecting their privacy rights. At a high level, this new legislation will require organizations to be transparent in how they’re collecting, sharing and leveraging user data. Via a prominent header on websites, California residents will have the right to request to know what kind of data a company has collected about them, if they sold or shared this data with other companies [and if so which ones], and request the company to stop selling it.
There are five main rights that the CCPA provides:
- The right to request disclosure of a business’ data collection and sales customs related to the requesting user. This includes what PII, its source, how it was used, and whether it was shared with third parties
- The right to request a copy of the PII collected in the last 12 months
- The right to request to delete this PII
- The right to request not to have one’s data sold
- The right not to be discriminated against when exercising these rights
Which companies are affected?
- The law applies to companies that do business in California, so it is essentially an international law. Regardless of whether they have officers in California or the US, global companies will need to comply since the law covers state merchants who sell or list a website in California. Realistically, these companies will choose to comply rather than walk away from the world’s 5th largest economy
- Qualifying companies include those who make at least $25 million in annual revenues, have personal data on at least 50k users or collect more than 50% of their revenues from selling data
- Exempted companies include insurance institutions, agents, and support organizations as they already comply to the IIPA
Organizations will have 6 months to comply. Not only will businesses need to change their privacy policies, but they will also need to figure out what data they have been collecting: “It may sound obvious, but the reality is that many companies don’t actually fully know what data they collect and retain – Christopher Budd”.
In the case of a violation, companies will have 30 days to comply once notified of the violation [the “Cure Rule”]. Failure to comply results in a $7.5 fine per record. Users will have the right to sue and have class action lawsuits for damages. If missing security measures result in a breach, fines of $100 to $750 per consumer/incident/damages are within scope.
America’s GDPR? Not quite!
At first glance, the CCPA seems to be “America’s GDPR”. Indeed, both give users the right to access and delete their data, request transparency about the use of this information, and require contracts between organizations and their service providers. However, despite these comparable elements the two laws also present key dissimilarities.
On one hand, the CCPA isn’t as extensive as GDPR. It doesn’t require companies to have a legal basis for collection and use of sensitive data, doesn’t control the transfer of data outside the US, and doesn’t require to appoint a data protection officer to run impact assessments. Finally, users can only access data collected in the last 12 months and service providers are confined to less obligations.
However, in other respects the CCPA is more restrictive than GDPR. Indeed, it involves a broader definition of what constitutes sensitive data. The list includes consumers’ biometrics, internet browsing info, products purchased or considered, geolocation, academic and employment info and inferences drawn to create a profile about the individual to reflect preferences. The law exempts employee data and partially excludes personal info collected from job applicants, owners, directors, officers, medical staff, and contractors. Additionally, CCPA grants the right to opt out of the sale of one’s data and forces businesses to add “Do Not Sell My Personal Information” headers to their sites and apps.
Both laws prescribe differing provisions with service providers, and the CCPA’s data processing requirements are more stringent than that of GDPR’s. Lastly, the two legislations treat children’s privacy differently. GDPR requires that parents give permission for the processing of their children’s [under 16] data only when the legal basis for processing is consent. CCPA considers the sale of children’s data rather than all processing, and requires organizations to obtain opt-in consent first. Parents grant permission for children under 13, and teens 13-15 can give consent for themselves.
Updates are coming
Given the record time in which the CCPA was compiled, there will probably be amendments to address instances of inclarity in the law. For example, the definition of “sensitive data” is broad and non-exhaustive. Another example is that the CCPA gives 30 days for organizations to “cure” a breach and avoid litigation. Individual or classwide action cannot be brought if the business 1) cures the violation 2) notifies the consumer in writing that the issue has been addressed and that no future breaches will reoccur. Unlike other consumer protection laws, the CCPA specifies that “no action for individual statutory damages or class-wide statutory damages may be initiated against the business” if the cure is sufficient to the plaintiff. Hence, an individual cure is a class cure.The catch here is that the term “cure” is not clear.
Both the CCPA and GDPR are the result of a system created by the internet whereby organizations collect, save, use, and share personal data. The degree of such data collection and use has attained huge proportions, resulting in the equivalently increasing hacking and misuse of personal data. While the CCPA is not quite America’s GDPR, it is most certainly the beginning of it. The law was officially implemented January 1st 2020, and organizations that do business in California will have 6 months to navigate its implications and successfully comply with them.
Stay tuned for part 2 of our series on CCPA to understand its impact on data processing, and what you as a business should be on the lookout for to get ahead of the curve in data privacy compliance!