In 2018, massive data breaches affected hundreds of millions of users. Facebook (multiple times), the Marriott hotel chain, Comcast, and even Google Plus failed to protect users. Currently, these businesses face no serious legal repercussions. They saw minimal backlash even when they acknowledge these breaches in public statements.
That will change. In June of 2018, California legislators passed the California Consumer Privacy Act (CCPA). Among other things, it gives California residents the power to deny the sale of their personal information. The CCPA holds companies accountable for mishandling consumer information. It will go into effect on Jan. 1, 2020.
Here’s what you need to know, as an internet business, about CCPA and how to prepare for it.
What is the CCPA?
The three main goals of the California Consumer Privacy Act, also called the California Data Privacy Act, are:
- To Maintain Transparency. Users should know what personal information such companies as Google and Facebook collect about them.
- To Maintain Control. A user can require a company not to sell personal information without fear of the company retaliating by limiting service or raising cost for that user.
- Maintain Accountability. Because of massive data breaches, the CCPA holds businesses accountable for misusing consumers’ personal data or failing to protect it. The Act allows individual legal action against companies for these violations.
Rights Protected by the CCPA
The main clauses of the CCPA emphasize a consumer’s right to opt out of the sale of their information. Users must also have the right to full disclosure. That is, they have the right to know what data a business collects. The CCPA specifies the following consumer rights:
- The right to know all the data that a business has collected on the user, provided free of charge twice a year at the business’s expense.
- The right to deny the sale of your information without fear of retaliation or discrimination.
- The right to delete data you have posted.
- The right to sue companies who collected your data if that data is breached.
- The right to know what types of data the company collects prior to collection or at the point of collection. This includes any changes to data collection methods.
- Mandatory opt-in by a parent on behalf of minors (16 and under ).
- The right to know the business categories of third parties who purchase user data.
- The right to know the sources of personal information, such as that found in your Facebook or Google account.
- The right to know a business’s purpose for collecting your information.
What Personal Data Must be Disclosed?
The CCPA defines “personal data” as the following types of information. Businesses must inform people if they collect:
- Real name
- Mailing address
- Email address
- IP address
- Social Security number
- Race, ethnicity and gender
- Employment information
- Consumer history
- Biometric data
- Medical data
- Location data
- Browsing/search history
- Audio, video, electronic, or similar data
- Inferences drawn from any of the above information.
- Any of these categories related to minor children of the consumer.
How Does CCPA Relate to GDPR?
Similarities between CCPA and GDPR
Some refer to CCPA as “California’s GDPR,” but the rights involved and the extent of coverage differ in some areas and overlap in others.
Both grant users the right to opt out of the collection and sale of data. Both the CCPA and GDPR grant users the right to receive copies of their personal data from an organization. This goes along with the user’s right to know what the company collects and what third-party organizations have access to that data. Like the CCPA, GDPR also grants users the right to delete personal data (the Data Erasure clause). This forces the data collector to erase the user’s personal data, stop collecting it, and halt in-progress third-party processing.
Differences between CCPA and GDPR
- User Consent: GDPR and CCPA define consent differently. GDPR requires a company to ask for users’ consent before collection of their data. GDPR also requires that companies obtain explicit (active) consent before collecting sensitive data, including that related to race, sex, and medical history and like matters. CCPA does not require businesses to ask for consent before collection. CCPA allows users to opt out of the sale – not the collection – of data. It does require explicit parental consent for sale of data of minors under 16.
- Affected Organizations: GDPR has wider geographic range. The regulations extend to any company that collects personal data of anyone who lives in the EU, including organizations located outside the EU.
- Penalties: GDPR handles penalties differently than the CCPA. The maximum penalty for non-compliance with GDPR regulations will cost an organization 4 percent of annual revenue, or €20 million (whichever is greater). The CCPA penalizes organizations on a per-violation basis with no ceiling.
For more information, see our blog on GDPR and its impact on organizations, or visit the official GDPR website.
Who Needs to Comply?
Companies that do business in the state of California must comply with the CCPA. These companies must also meet one of the following thresholds:
- Earns at least $25 million in annual revenue (adjusted every other year in accordance with the Consumer Price Index).
- Buys, receives, sells or shares personal information of at least 50,000 customers, households or devices per year.
- At least 50 percent of its annual revenue comes from selling consumers’ personal information.
Requirements for Compliance
The CCPA requires businesses to allow users to opt out of selling their information. It includes the following compliance requirements for the Opt-Out clause:
- Add an obvious “Do Not Sell My Personal Information” link on the site home page. Add a link to the public homepage unless the site redirects California users to a separate homepage that contains this link. The link must take the user to an opt-out page.
- Create a page where users can opt out of the sale of their information.Your website must have a page where users can opt out of the sale of personal data. You cannot require them to create an account on your website in order to opt out. After a user has opted out, do not sell their personal data. Save this opt-out preference for a year. You may prompt them to opt out of the sale of data again after one year.
Compliance with the Right to Know and Disclosure clauses requires that businesses do the following:
- Give your consumers two ways to submit requests for information. Allow users to request their information via a toll-free telephone number and a website address.
- Disclose and deliver the information to the consumers. Provide users with all data you have collected on them. Send this to the user, free of charge, within 45 days of receiving a request. Again, you cannot force users to make an account on the site to submit requests for data. The same restriction applies when users choose to opt out of selling their data.
Penalties for Non-Compliance
Penalties for non-compliance add up quickly. Anyone who violates the CCPA – intentionally or unintentionally – may face a civil penalty for each offense. A business may pay penalties up to $7,500 for each violation in the case of a breach.
For more information on the California Consumer Privacy Act, visit the website.