On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. Although the law is similar in some regards to the European Union’s GDPR (General Data Protection Regulation) the California law differs in one key aspect—it can potentially affect any company that does business in the Golden State. As a consumer and Californian, it is important that you know what rights you have under the law. For business owners, it is important to understand what is required to comply with the law, and whether you are required to do so.
The intentions of the CCPA are relatively straightforward. The law provides California residents the right to: know what personal data is being collected about them, know whether their personal data is sold or is disclosed and to whom, say no to the sale of personal data, access their personal data, request a business delete any personal information about a consumer collected from that consumer, and to not be discriminated against for exercising their privacy rights. You may have seen pop-up notifications on websites that you visit informing you that the website collects your data and providing you with the ability to opt-out of this collection—these notifications are a direct result of compliance with the CCPA.
Outside of the codified rights outlined above, many readers are probably asking themselves what this means for them. Perhaps the most prescient feature of the CCPA is the right to request that data be deleted. Sometimes called the right to be forgotten, this is something that privacy advocate groups, like the Electronic Frontier Foundation, have fought to have recognized for some time. This means that consumers can go a step beyond deleting their account if they no longer wish for a company to have identifying information about them, they can request that it be deleted. One major caveat to the law, however, is that is only applies to data collected about consumers from consumers themselves. Publicly available data, like property deeds, are still available for sale to advertisers.
Another important feature of the CCPA is that it gives consumers the right to sue companies in the event of a data breach. Although most companies are less than thankful for another source of litigation; the threat of a lawsuit, or class action lawsuit, is a boon to consumers. Companies that must comply with the CCPA will take additional steps to secure consumer data to prevent legal action.
Although these enumerated consumer rights seem relatively benign, business owners and HR managers across California are wondering whether they are required to comply with the CCPA, and what form that compliance will take. In short, the CCPA applies to any business, including any for-profit entity, that collects consumer’ personal data and which does business in California, and satisfies at least one of the following thresholds: has annual gross revenues in excess of 25 million dollars, buys or sells the personal information of 50,000 or more consumers or households, or earns more than half of its annual revenue from consumer’s personal information. If your business meets any of those criteria, the CCPA requires that organizations implement and maintain reasonable security procedures and practices to protect consumer data. It is important that business do so, as each violation of the CCPA carries a fine up to $7,500.
With any new regulation, it is important that consumers and business understand their rights and obligations.
Those that would like further information on the legal aspects of the CCPA are advised to contact a legal professional. For more information on the technical aspects of the law, and what is required for an organization to be compliant, please contact an Information Technology professional.