Similar to the European Union’s General Data Protection Regulation (GDPR), The California Consumer Privacy Act (CCPA) aims to protect the privacy and data of consumers. The CCPA initiative states that the act is intended to “give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.”
Under the California Privacy Act is a set of rights, similar to the GDPR that gives citizens greater power over the use of their personal data.
When does the CCPA come into force?
The CCPA is set to go live on January 1, 2020.
What will the CCPA do for consumers?
The California Consumer Privacy Act will accomplish three major things including a bunch of newfound rights around data:
- Consumers will have the right to know what information companies are collecting
- Consumers will have the right to say no to a business sharing or selling their personal data
- Consumers hold the right to protection against businesses that do not uphold the value of privacy
All businesses will be held accountable if data is compromised due to security flaws or breaches.
What companies will have to comply with the CCPA?
Companies that meet the following criteria will have to comply with the CCPA:
- The company must exceed an annual gross revenue of $25 million,
- The company obtains personal information of 50,000 or more California consumers, households, or devices annually; or
- The company obtains 50% or more of their annual revenue from selling California consumers’ personal information.
These criteria may seem quite high, but when e-commerce and credit card sales are taken into account, the 50,000 records threshold is met by any business which has an average of 137 unique sales per day – which could include small retailers, coffee shops and the like.
It’s safe to assume that most companies in the US will have customers in California, and likely have to comply if they want to continue to receive, process and sell information from those consumers. As the world’s 5th largest economy, California is setting a major precedent with this regulation!
How is CCPA Different from GDPR?
GDPR was implemented on May 25, 2018, to standardize the data protection law across all 28 European Union (EU) countries. It requires businesses to protect consumers’ personal data for transactions that occur within the EU and affects any US business that operates in the EU.
Unlike GDPR, CCPA only applies to businesses in the state of California, not the European Union. CCPA also focuses explicitly on regulating the market for selling personal information for profit, whereas GDPR focuses on data ownership and rights of deletion.
The other major difference is that while GDPR views fines as a major tool/weapon in the regulator’s powers, CCPA adds the element of private causes of action in the event of a breach of personal information.
In these cases, consumers are allowed to obtain the greater of actual damages or statutory damages within a range of $100-750 “per consumer per incident”. Given the large numbers of individuals who can be affected by a single breach, class actions could start to make the financial penalties to companies who don’t get their house in order very high indeed.
CCPA and Subject Access Requests
As a more recent regulation, CCPA has some important points on people’s rights to access, and how companies can meet this adequately and responsibly:
Upon a consumer’s request, a business shall disclose the categories of personal information (a) “collected about the consumer”, (b) “sold about the consumer and the categories of third parties to whom the personal information was sold”, and (c) disclosed about the consumer for a business purpose.
This means a SAR or DSAR (abbreviations for an access request) is more specific and adds in categories about what data is being used for and how it’s being monetised. This approach lends itself well to the kind of Data Dialogue we advocate at Tapmydata, where a company is open and honest from the start about what they do with data and why without the rigmarole and risk associated with sending all the data about an individual over to them. It’s what they are doing with it, that’s the key piece of context.
The second interesting element to subject access requests under CCPA is there is more operational detail about how these should be made. Among other things, the business must allow the consumer to make requests by at least 2 methods, including a toll-free number and a website.
This opens the door for more cost-effective rights tools, apps and interfaces where the consumer drives the process, which was undoubtedly the intention behind CCPA and the general direction of travel with privacy…
Just the beginning
The CCPA is just the beginning. By 2025, the US can expect more states to sign similar legislation, giving every US consumer the right to know exactly how their data is being used. Companies would do well to prepare now rather than wait until the deadline. Privacy and rights around data are coming – it’s just a matter of time.