California Consumer Privacy Act
We’d like to congratulate you on successfully surviving the GDPR changes of earlier this year! Now that we’ve all had time to take a collective sigh of relief, it’s time to start preparing for CCPA. Yes, that’s right, we already need to prepare for another policy designed to protect users’ data. But what is CCPA, how does it differ from GDPR, and how will it affect you and your business? That’s what we’re here to answer.
The California Consumer Privacy Act (CCPA) was enacted on June 28, 2018 and will come into effect on January 1, 2020. It is a privacy act designed to protect Californians’ rights to access and delete the data that companies collect about them. The CCPA also allows users to opt out of their data being sold
CCPA applies to any organization that conducts business in California and meets one of the three following conditions:
- Earns $25 million or more in revenue per year.
- Annually buys, receives, sells, and/or shares the personal information of 50,000 or more consumers, households, or devices, alone or in combination.
- Derives 50 percent or more of its annual revenue from selling consumers’ personal information.
It is important to note that because visitors to a website contribute to the number of consumers, households, or devices for which data is received, nearly all businesses will be subject to CCPA.
The CCPA establishes a new privacy framework for covered businesses by:
1. Creating an expanded definition of personal information for purposes of the Act.
- Under the act, “personal information” (PI) is broadly defined to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This could be identifiers such as names, email address, aliases, addresses, IP addresses, commercial information, biometric information, browsing history, geolocation data, professional or employment-related information.
2. Creating new data privacy rights for California consumers. The act grants consumers with five categories of data privacy rights.
- Right to know all data collected about them (consumers), including the categories of data and why it is being acquired, before it is collected, and any changes to its collection.
- Right to access a copy of the “specific pieces of personal information that [a business] has collected about that consumer” to be delivered either by mail or electronically.
- Right to request deletion of their data.
- Right to opt out of the sale of their PI to third parties.
- Right of equal service, prohibiting discrimination against consumers who exercise their rights under the act.
3. Imposing special rules for the collection of consumer data from minors.
- For minors, CCPA prohibits the sale of PI if the consumer is younger than 16 years old. Businesses must obtain affirmative consent from the consumer if they are between the ages of 13 and 16, or their parents’ consent if they are under 13, creating a special opt-in system for minors.
4. Creating a new and potentially severe statutory damages framework for violations of CCPA and for businesses that fail to implement reasonable security procedures and practices to prevent data breaches.
- Damages for violations of the act that the business did not cure within 30 days of notice is up to $2,500 per violation and damages for intentional violations is up to $7,500 per violation, in addition to the $2,500.
Now let’s talk about how CCPA differs from GDPR. Here are some key distinctions:
- While GDPR requires consumers to opt-in to data collection, CCPA only offers consumers the right to opt-out. That means, CCPA still allows sites to collect users’ data when signing up to a new site or making a purchase online whereas GDPR specifically requires sites to get consent before collecting any data. This is a huge difference.
- Another interesting difference between CCPA and GDPR is a difference between metadata and data. CCPA explicitly states that a consumer has the right to be informed of the categories of personal data, categories of sources of data, and categories of third parties that a business shares personal data with. GDPR only speaks about data and the need for plain language in terms of disclosures to data subjects.
- Yet another distinction between CCPA and GDPR is that damages can be awarded to individuals. In GDPR, fines can be levied for failure to comply that are four percent of global revenue or EUR 20 million (whichever is greater). CCPA ensures that in the event of a data breach, a business may have to compensate a consumer from $100 to $750 per individual or household.
Like GDPR, CCPA requires businesses to take several steps, including those listed below, to come into compliance on or before the effective date of January 1, 2020.
- Privacy policies will need to be updated. These policies must include two things, (1) a link that directs to the opt-out page and (2) the information required by the Right to know.
- Because of the right to know and right to deletion, businesses will need to implement a framework to track and respond to potentially large numbers of consumer requests.
- Businesses will need to be able to identify and segregate all consumer data they may sell.
- Businesses planning on mergers, acquisitions, or transactions involving consumer data should seek legal advice to determine if and how the act would impact such a transaction.
- Training programs will need to be developed and implemented for employees responsible for handling consumer inquiries about the business’s privacy practices or its compliance with the act.
- Businesses will need to offer a toll-free number and a website allowing consumers to opt out.
- For violations of the act, a business is subject to statutory damages as explained above.
So there you have it, we’ve explained the California Consumer Privacy Act to help you prepare for the effective date and make the necessary changes to ensure compliance. If you have any further questions or need any help relating to data privacy, please reach out to us. Anglepoint has decades of experience helping businesses create and implement data privacy policies and procedures, our deep expertise will ensure that your transition into CCPA is smooth and simple.