California Consumer Privacy Act (CCPA) Compliance

CCPA Overview

On June 28, 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA). Its passing and upcoming implementation on January 1, 2020 marks a significant step forward for the cause of protecting and safeguarding individuals’ personal information in the digital age.

What is the CCPA?

The CCPA’s guidelines are similar to the General Data Protection Regulation (GDPR), which was implemented on May 25, 2018 and concerns the privacy of citizens in the Europen Union (EU) and the Europen Economic Area (EEA).

The bill was designed to strengthen the individual privacy rights of its residents by affording them the following five rights:

  • Know what personal information is being collected about them.
  • Obtain access to any information collected.
  • Know whether their personal information has been sold or disclosed (if so, to whom).
  • The ability to opt out of (or refuse) the sale of their personal information and have any pre-existing information deleted.
  • Equal degree of service and pricing regardless of whether they choose to exercise their privacy rights.

The bill was actually first introduced on January 3, 2018 in the wake of the well-publicised, Facebook-Cambridge Analytica data scandal – in which tens of millions of individuals’ Facebook profiles were obtained without their permission for political advertising objectives.

A series of Congressional hearings [following the scandal] highlighted that our personal information may be vulnerable to misuse when shared on the internet,” reads a portion of the bill. “As a result, our desire for privacy controls and transparency in data practices is heightened.”

Another section of the bill details the broad scope of what is defined as “personal information” and dictates the negative consequences of unauthorized privacy invasion:

“[Businesses] may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.

“The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”

Specifically, the CCPA defines “personal information” as including (but not limited to) a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other comparable identifiers.

Who is Liable?

The CCPA applies to any organization or for-profit entity that ingests the personal data of consumers, conducts business in California, and meets one of the following three conditions:

  • Generates annual gross revenues greater than $25 million.
  • Data brokers that buy, receive, sell, or share the personal information of 50,000 or more residents, households, or devices.
  • Obtains more than half of its annual earnings through selling residents’ personal information.

Rules to Follow/Penalties for Noncompliance

Companies must meet the following requirements to fall in compliance with the bill:

  • Enact processes to acquire either parental or guardian consent for minors under 13 years of age and the full consent of minors between the ages of 13 and 16 for data sharing purposes.
  • Include a “Right to Say No to Sale of Personal Information” link on their respective website’s homepage. This link will lead users to a separate page allowing them (or someone they have authorized) to opt out of the sale of their personal information.
  • Delegate ways for residents to submit data access requests, including (at the very least) a toll-free phone number.
  • Revise their privacy policies to include a set a newly required information, including an explanation of California residents’ rights.
  • Refrain from soliciting opt-in consent for a period of 12 months after a resident chooses to opt out.

Regarding penalties and sanctions for noncompliance, companies that allow themselves to become victims of data theft or any other data security breaches could be demanded to pay statutory damages anywhere from $100 to $750 for every single resident/incident.

Meanwhile, fines of up to $7,500 can be imposed for each intentional violation and $2,500 for each unintentional violation.

Such figures can add up quickly. For instance, an intentional violation involving 20,000 customers could wind up costing guilty organizations as much as $150 million.

For more information on the CCPA, see the official CCPA website published by the State of California.