Historically, the United States has lagged behind other developed countries in taking steps to protect its citizens’ personal information online. Unlike the European Union, which adopted the sweeping General Data Protection Regulation (GDPR) in 2016 to give individuals more control over their personal data, the U.S. has yet to pass any comprehensive federal legislation to protect consumers in this area.
In the absence of federal leadership on data privacy, California lawmakers took matters into their own hands in 2018, passing the California Consumer Privacy Act (CCPA) to give individuals meaningful agency over their personal data.
The text of the bill acknowledges that “the proliferation of personal information has limited Californians’ ability to properly protect and safeguard their privacy” and attempts to remedy the problem by requiring businesses to obtain consent from consumers before using their personal information for profit. But what is CCPA? Below we dig into the meat of the Act and more.
For additional resources, please see the following helpful articles:
- Dealing With Online Harassment The Right Way
- Avoiding Online Cyberstalking When Navigating The Internet
- Data Brokers: What Do They Do With Your Info?
- Common Types Of Cyber Attacks and Best Practices
History of the CCPA
In the Golden State, citizens have the ability to propose laws and constitutional amendments, and if the proposed legislation receives enough support via petition, it will appear on a future ballot to be decided by the state’s voters. The CCPA began as one of these ballot initiatives, with the petition receiving more than 629,000 signatures.
However, if the proposed legislation had been approved by voters in the November 2018 election, state law would prevent the California legislature from being able to amend it in the future without a second ballot initiative. This prospect prompted the legislature to act quickly to preempt the ballot initiative, and its sponsors agreed to withdraw the measure if the state’s elected officials could pass a robust bill and get it signed by Governor Jerry Brown by the end of June that year—which they did, barely.
What is CCPA? Key Principles
The California Consumer Privacy Act, which went into effect on January 1, 2020, establishes four basic rights to which consumers are entitled relative to their personal information:
- The right to know what personal information a business has collected, how they collected it, how it is being used and to whom it is being provided or sold, if applicable
- The right to deny the business permission to share or sell their information to third parties (or in the case of minors, the right for the minor’s parents to deny this permission)
- The right to require the business to delete their personal information (albeit with a few exceptions)
- The right to receive the same service and pricing from the business, whether or not they choose to exert their rights to privacy under the law
The CCPA requires companies to proactively disclose their data privacy practices to consumers at the time the data is being collected. These disclosures must include what types of consumer information the company collects, how it will be used and what kinds of personal information it shared or sold in the 12 months prior. Additionally, the act requires these disclosures to be:
- Easy for the average consumer to read and understand, with minimal technical or legal jargon
- Presented in a visible and legible format
- Available in all languages that the business uses to deliver contracts, disclaimers, pricing and other information to its customers
- Accessible to consumers with disabilities
Companies must also offer consumers the opportunity to opt out of participating in the sale of their data by displaying a “Do Not Sell My Personal Information” link on the home page of the company’s website. Consumers younger than 16 are automatically excluded from the sale of their personal information unless they or a parent or guardian explicitly opts in.
As part of the law, businesses must provide consumers with at least two methods for finding out how their data is being used: a toll-free phone number and a link on their website. Businesses must respond to a request for this information within 45 days, providing the specific pieces of personal data collected, the source of the information and any third parties with whom the information was shared.
Finally, the law prohibits companies from taking any punitive steps against consumers who opt out of having their information shared or sold. Businesses cannot refuse to provide goods or services, charge higher prices for goods or services or provide reduced-quality goods or services to consumers who opt out of having their information shared or sold. However, businesses are allowed to offer incentives to consumers in exchange for the collection, sale or other use of personal information.
What is CCPA? Defining “Personal Information” Under the CCPA
According to the language in the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Specific examples of personal information protected under the act include:
- Product purchase history
- Internet browser and search history
- Education information
- Biometric data
- Tax identification numbers
- Passport numbers
- Military identification numbers
- Unique identification numbers issued on a government document
However, it does not protect other information that is publicly available through government records.
What is CCPA? Businesses Subject to the CCPA
Businesses subject to compliance with the CCPA include for-profit businesses that collect and use the personal information of California residents, conduct business in California and meet one of the following criteria:
- Report annual gross revenues of more than $25 million
- Receive or share personal data from more than 50,000 California residents, households or devices in a single year
- Earn 50 percent or more of their annual revenue from the sale of California residents’ personal information
Smaller businesses affiliated with brands that meet the above standards must also comply with the law.
Businesses exempt from complying with the act include nonprofit organizations, small businesses, businesses that use only small amounts of personal data and businesses who collect and sell Californians’ personal data while the consumers were outside state lines. to the Act by virtue of having “consumers” (California residents) among their customers, as described in further detail immediately below.
What is CCPA? Consumers Protected by the CCPA
The CCPA covers anyone who claims California residency on their taxes. Because most large corporations serve California customers in some way, most of these brands are subject to compliance with the act, even if they have no physical presence within the state.
Customers living outside California doing business with these companies are also likely to benefit from the protections of the act, since the companies are unlikely to have different versions of their website based on where the IP address accessing the site is based. As a result, any company with an online presence will almost certainly need to update their websites with privacy policies, opt-out information and a way to obtain the disclosures required by the CCPA.
What is CCPA? Enforcement of the CCPA
The California Attorney General is charged with upholding the provisions of the CCPA, and the penalty for violating the act can reach $7,500 per infraction.
Additionally, the act gives consumers considerable recourse if they believe their rights under the CCPA have been violated. Through individual or class action lawsuits, citizens can petition to be compensated for statutory or actual damages and other legal relief if their personal information has been shared or sold due to a company’s failure to uphold the security protections required by the law. For each incident of violation, consumers may receive between $100 and $750 in statutory or actual damages.
However, the law does contain a few provisions that may make it challenging for consumers to actually receive these damages. Consumers seeking statutory damages must give the defendant 30 days’ advance notice of their intent to sue, and if the business can provide written evidence that the violation of the law has been remedied, consumers are prevented from continuing with the suit.
In the case of actual damages, the consumer does not have to provide this advance notice to the company. The consumer must also notify the California Attorney General within 30 days of filing the suit, and the Attorney General may respond in one of three ways: by opting to pursue the prosecution through the Attorney General’s office; by notifying the consumer that they may not proceed with the suit; or by not responding at all, clearing the way for the consumer to continue with the legal action.
What is CCPA? Comparing the CCPA to the GDPR
Though both are robust consumer data protection laws, the California Consumer Privacy Act and the European Union’s General Data Protection Regulation (GDPR) have few elements in common. Unlike the CCPA, the GDPR is an omnibus law that not only determines the disclosures companies must make to consumers, but also lays out specific procedures for implementing data security and notifying customers and regulators of any data breaches.
The GDPR also confers additional rights to consumers that the CCPA does not, including the right to be forgotten, the right to rectification and the right not to be subject to a decision based entirely on automated processing.
While the GDPR is in some ways more comprehensive than the CCPA, businesses cannot assume that if they already comply with the GDPR, they will automatically meet the requirements of the CCPA as well, since the laws take contrasting approaches to consumer consent.
Under the GDPR, consumers must proactively and explicitly opt in to give the business permission to collect and use their personal data. But what is CCPA going to do in comparison? The CCPA, on the other hand, simply requires businesses to give consumers the opportunity to opt out of having their data collected and used for commercial purposes.
What is CCPA? Future Effects of the CCPA
Practically speaking, the adoption of the California Consumer Privacy Act could be a watershed moment for consumer data protection in the United States, in large part due to the state’s significant population and the economic behavior of its citizens. Because the majority of mid- to large-sized companies in the U.S. are likely to do business with California residents in some fashion, they will be subject to compliance with the CCPA, even if the business is based elsewhere.
These businesses will need to take steps to ensure that their policies, procedures and websites meet the law’s requirements. Businesses that do not proactively work to comply with the CCPA should anticipate an uptick in legal action by consumers as awareness grows related to their enhanced rights under the law.
But what is CCPA? The law is also likely to empower a new generation of consumers who expect their personal information to be protected and are willing to take action against companies who fail to meet these expectations, either due to lax security procedures or the intentional sale of consumers’ personal data for commercial purposes.