CCPA – What You Need to Know about California’s Sweeping Privacy Legislation
Published: August 19, 2019
Author: Shane Danaher
If your business handles customer data, then you need to have a plan in place for complying with the California Consumer Privacy Act – a piece of legislation with wide-ranging implications for the entire digital ecosystem.
This blog is NOT meant to be taken as legal advice; rather, it provides info that can serve as a starting point for your journey toward CCPA compliance.
What is the CCPA?
The California Consumer Privacy Act is a piece of legislation designed to give citizens of California better control over how their data is shared on the internet. Although the legislation resembles the European Union’s GDPR in several respects, it also has areas of divergence significant enough to require businesses to have a separate plan in place for dealing with CCPA compliance.
For those interested in a bird’s-eye view, read on.
How long do I have to prepare?
The CCPA goes into effect January 1, 2020. You’ll want your business to have a full compliance plan in place well before that date.
Who has to be worried about CCPA?
CCPA was written to target large and medium-sized businesses that deal in consumer information. In order to fall within the bill’s purview, a company must be a for-profit entity that collects the personal information of Californian citizens. It must also meet any one of the following criteria:
- Produce annual gross revenues greater than $25 million
- Annually buy, sell, or share consumer information of more than 50,000 Californian consumers, households, or devices
- Earn at least 50% of its revenue from the sale of California consumers’ personal information
Does this apply to me even if I don’t do business in California?
Technically no, but in practice it most likely will impact you.
For one, if your business provides services to any business of California, you could fall within the bill’s purview. Given that California is the United States’ most populous state and the preeminent nexus of the tech economy, chances are you could be providing services to a “business” as defined by the CCPA.
Also, even if they haven’t done so yet, expect to see more states passing legislation similar to the CCPA. Consumer privacy is nigh, and regardless of where you’re doing business, it’s better to be prepared.
What rights does CCPA give to consumers?
CCPA gives Californian consumers sweeping rights with regards to their personal data. According to the legislation, consumers have the right to:
- Know what personal information about them has been collected
- Know whether or not that personal information has been disclosed or sold
- Opt out of the sale of their personal information
- Request the deletion of their personal information
- Access their personal information
- Maintain equal service from a company even when they (the consumer) exercise their right to control their consumer data
What does “personal information” mean here?
Compared to the GDPR, the CCPA’s definition of “personal information” is notoriously broad.
As of the publication date, “personal information,” according to the CCPA, includes any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This means that the “usual suspects” – such as email address, birth date, and Social Security number – are considered “personal information” under the CCPA, and so are IP addresses, browsing history, search history, biometric data, location data, and randomized personal identifiers.
What happens if my company violates the CCPA?
The punishments for violating the CCPA differ depending on whether or not the courts conclude that you violated the law intentionally.
Intentional violations carry the maximum civil penalty of $7,500 per individual, per violation.
Accidental violations carry a maximum civil penalty of $2,500 per individual, per violation.
If you consider that you have a database with the personal data of 500,000 individuals, and that each data point misused counts as a “violation,” these penalties can quickly reach astronomical extremes.
Also, if the courts conclude that a company did not take reasonable measures to protect consumers’ data, consumers are then entitled under the law to $100 – $750 per incident or actual damages for any misuse of their data.
Are there exceptions?
Yes, federal law preempts the CCPA in several scenarios.
- Health-related information – Information governed either by HIPPA or by California’s Confidentiality of Medical Information Act is not subject to the CCPA’s restrictions
- Consumer reporting information – The Fair Credit Reporting Act protects information sold for the purpose of creating accurate credit reports
- Some financial data and some motor vehicle data – The Gramm-Leach-Bliley Act (GLBA), which governs how financial institutions can share consumer data, and the Driver’s Privacy Protection Act (DPPA), which governs how state Departments of Motor Vehicles can disclose consumer data, both preempt the CCPA in certain instances
Is this all written in stone?
No! The CCPA’s malleability makes compliance with the law particularly tricky.
Not only does the CCPA leave several of its finer points up to the courts for clarification, it’s also possible that the law itself will undergo significant changes before it takes effect.
Already, as of its Fall 2019 session, the California State Legislature has adopted several amendments to the CCPA. The most significant of these include:
- Employee and B2B exemption – Personal information collected by an employer concerning its employees or exchanged between two businesses in the course of conducting business will not be subject to CCPA until January 1, 2021.
- Publicly available information exemption – This excludes information obtained from government records from the CCPA’s definition of “personal information.”
- Requirement for data broker registration – The CCPA now requires data brokers to register with the California State Attorney General. A “data broker” in this context means “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
For updates on the CCPA as they develop, check out the California Attorney General’s official website.
Federal intervention also threatens to rewrite the CCPA. With multiple states set to pass a hodgepodge of privacy laws in the near future, both legislators and tech companies have appealed to the Federal Government to pass national privacy legislation that would preempt the patchwork of state statutes. However, while federal legislation may at some point render the CCPA obsolete, no such law looks close to passage at the moment.
What should I do to prepare?
Start by performing an audit of your business and the ways you use consumer data. Then work with a legal professional to determine your exposure under the CCPA.