Starting January 1, 2020, the state of California enforces the most far-reaching data-privacy legislation in the history of the United States.

The California Consumer Privacy Act (CCPA) enables residents of the Golden State to know what data companies and websites collect about them. What is more, the new law allows Californians to force businesses not to sell their data to third parties and delete already collected data about users.

The incoming 2020 law is similar to the European Union’s General Data Protection Regulation (GDPR), which is the most comprehensive data-privacy legislation currently enforced worldwide.

The adoption of the CCPA also forces other U.S. states to enact similar laws, opening the door to a nationwide movement to protect the privacy of the consumers online. Actually, support for adoption of a new national law to protect consumer privacy is high at all levels.

Source: Statista

The state of California is known for adopting reformist legislation in many fields such as workforce protections and animal welfare.

Many other states are following suit after California, adopting new far-reaching laws. Nine other states are already considering similar regulations.

California is the biggest U.S. market with some 40 million residents, which in turn means that major companies operating in the state are subject to the CCPA. Businesses will have to follow the stipulations of the CCPA and apply them to online users from other states as well, since they cannot check and verify from where each customer originates.

Datashield has provided with a detailed overview of the California Consumer Privacy Act and all major aspects of the law the law that affect individuals and organizations:

New Rights the CCPA Grants to Consumers

After January 1, 2020, California consumers will have the following new rights pertaining to their personal data collected and managed by companies.

• The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information
• The right to delete personal information held by businesses and by extension, a business’s service provider
• The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13
• The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

Effectively, the above provisions of the CCPA cover all major components of your personal data such as:

• Your name
• Your username
• Your password
• Your phone number
• Your physical address
• Your IP addresses
• Your device identifiers

Furthermore, the CCPA covers also information such as your race, religion, marital status, sexual orientation and military status. The law extends to other information as well, protecting data like your fingerprints, facial recognition data as well as data about your browsing history and location.

Hence, individuals can ask any company operating in California to reveal any of the above data to them or request the company to delete all or part of the information. Consumers, however, are not allowed to correct information under CCPA as opposed to the stipulations of the GDPR and the state of New York pending data-privacy law.

How U.S. State Privacy Legislation Compares

Bear in mind that companies are still allowed to collect personal data about users under the CCPA, but only from public government sources such as official marital records. Nonetheless, they are prohibited to extract personal data from sources like user social media profiles.

Businesses that CCPA Covers

The law applies to a wide range of businesses although certain legislative details are still to be clarified further. As a whole, the CCPA covers the following business entities:

• Business has gross annual revenues exceeding $25 million;
• Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
• Derives 50 percent or more of annual revenues from selling consumers’ personal information.

Any business that handles the personal information of more than 4 million consumers will have additional obligations under the CCPA. Furthermore, the broad definitions of the CCPA defines as “selling personal information” also sharing data for in return for “valuable consideration”, which extends the law’s coverage to companies that do not necessarily look for financial compensation when sharing personal data collected by them.

Businesses that the CCPA does not cover include:

• Healthcare service providers and insurers that are governed by the HIPAA legislation (Health Insurance Portability and Accountability Act of 1996);
• Financial companies that are covered by the Gramm-Leach-Bliley law (Financial Modernization Act of 1999);
• Credit reporting agencies that are covered by the Fair Credit Reporting Act.

The fines for violating the CCPA are up to $2,500 per unintentional violation and rise to a maximum of $7,500 for an intentional violation. Hence, the fines can grow really big when the violations affect large groups of consumers.

If a consumer finds a violation, he/she can bring a legal action for statutory damages ranging from $100 to $750 per violation or actual damages.

How to Comply with the CCPA

Becoming fully CCPA compliant will be a continuous effort for businesses as a number of CCPA definitions and stipulations are still work in progress. Nonetheless, there are mandatory measures that each business that falls under the scope of the CCPA should implement:

• Provide notice to consumers at or before data collection;
• Create procedures to respond to requests from consumers to opt-out, know, and delete data;
• Provide a “Do Not Sell My Info” link on their website or mobile app;
• Respond to requests from consumers to know, delete, and opt-out within 45 days;
• Verify the identity of consumers who make requests to know and to delete personal data;
• Disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information;
• Keep records of requests and corresponding actions taken for a period of 24 months.

In some cases, a business may deny a request i.e. if they are unable to verify a request but in any case they are still required to comply to the greatest possible extent. What it means is that a request to delete that should be treated as a request to opt-out.

Any business that is subject to the CPPA must offer at least two methods for users to request access to their personal information and one of the methods should be a toll-free phone number.

The Standardized Regulatory Impact Assessment for the CCPA regulations puts the estimated costs for achieving CCPA compliance at between $467 million and $16.45 billion until 2030. In the same time, the law is to protect over $12 billion worth of personal information in California.

Conclusion

The entering in force of the CCPA signals a new era in the sensitive field of protecting personal data online and guaranteeing the right of privacy to any consumer who provides personally identifiable data to online businesses, which in fact means most businesses. The CCPA puts a threshold of 50,000 users for a company to be covered by the CCPA but any successful small or medium-sized business can easily exceed that number within a few years, so it must comply with the CCPA.

The major impact of the CCPA on businesses large and small will be about companies adopting new technologies and procedures to classify personal data, preemptively delete all unnecessary data, protect all collected personal data and continuously monitoring stored data for data leaks and threats.

The adoption of the CCPA comes in time of unprecedented bipartisan agreement to draft similar personal data-protection legislation at a national level although Democrats and Republicans in Senate are still unsure whether such a bill should preempt state privacy laws.

The CCPA is the most comprehensive personal privacy law following the GDPR and, while adoption of a federal law is still on the horizon, at least seven U.S. states are following the example of California by passing far-reaching consumer privacy laws. With more and more companies conducting business on the Internet and increasing number of users performing various activities online, the CCPA heralds the emergence of brand new legislation in the field of online privacy and consumer data protection.

Contact Us to learn more about how we can support your data privacy and cyber security initiatives.