On June 28, 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA). Its passing and upcoming implementation on January 1, 2020 marks a significant step forward for the cause of protecting and safeguarding individuals’ personal information in the digital age.
The CCPA’s guidelines are similar to the General Data Protection Regulation (GDPR), which was implemented on May 25, 2018 and concerns the privacy of citizens in the Europen Union (EU) and the Europen Economic Area (EEA).
The bill was designed to strengthen the individual privacy rights of its residents by affording them the following five rights:
The bill was actually first introduced on January 3, 2018 in the wake of the well-publicised, Facebook-Cambridge Analytica data scandal – in which tens of millions of individuals’ Facebook profiles were obtained without their permission for political advertising objectives.
“A series of Congressional hearings [following the scandal] highlighted that our personal information may be vulnerable to misuse when shared on the internet,” reads a portion of the bill. “As a result, our desire for privacy controls and transparency in data practices is heightened.”
Another section of the bill details the broad scope of what is defined as “personal information” and dictates the negative consequences of unauthorized privacy invasion:
“[Businesses] may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.
“The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”
Specifically, the CCPA defines “personal information” as including (but not limited to) a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other comparable identifiers.
The CCPA applies to any organization or for-profit entity that ingests the personal data of consumers, conducts business in California, and meets one of the following three conditions:
Companies must meet the following requirements to fall in compliance with the bill:
Regarding penalties and sanctions for noncompliance, companies that allow themselves to become victims of data theft or any other data security breaches could be demanded to pay statutory damages anywhere from $100 to $750 for every single resident/incident.
Meanwhile, fines of up to $7,500 can be imposed for each intentional violation and $2,500 for each unintentional violation.
Such figures can add up quickly. For instance, an intentional violation involving 20,000 customers could wind up costing guilty organizations as much as $150 million.
For more information on the CCPA, see the official CCPA website published by the State of California.