The much anticipated California Consumer Privacy Act (CCPA) took effect Jan. 1 of 2020, with business compliance enforcement beginning on July 1, 2020.
The new law recognizes several rights that consumers have regarding their personal data. According to the law, consumers have the:
Right to Know: Consumers have the right to be informed about a company’s collection, use, disclosure, and sale of personal information and to be informed of the specific pieces of their personal data held by the company.
Right to Delete: Consumers have the right to request that a company delete their personal information, as well as direct any service providers to remove their personal data.
Right to Opt-Out: Consumers have the right to tell a company that sells their personal information not to sell it. For minors between the ages of 13 and 16, a company cannot sell their personal information without authorization. For children under 13, permission to sell personal information must come from a parent or guardian.
Right to Nondiscrimination: A company cannot discriminate against a consumer for exercising any of these rights. For example, a company cannot deny goods or services, charge different prices, or provide a different level or quality of service to the consumer.
The law applies to for-profit businesses that collect California residents’ personal information and carry out business in the state. Small businesses, non-profits, and government agencies are exempt from the law’s mandates.
To be covered, a business must meet one of three additional requirements:
- Have annual gross revenue of more than $25 million;
- Receive or disclose personal information of 50,000 or more residents, households, or devices annually; or
- Get 50 percent or more of their annual revenue from selling personal information on California residents.
Personal information covered by the CCPA includes personally identifiable information, biometric information, internet activity information, geolocation information, professional or employment information, education information that is not publicly available, and inferences drawn from the above information.
California can assess fines for noncompliance: $2,500 for an unintentional violation and $7,500 for an intentional violation. Also, an individual can file a lawsuit against a company seeking actual damages or statutory damages ranging from $100 to $750 per consumer per violation against a company.
Companies have 30 days to address the alleged violation before fines or liability kick in.
How does CCPA differ from GDPR?
CCPA is similar to the EU’s General Data Protection Regulation (GDPR) by giving individuals more control over their private information.
The GDPR, which took effect in 2018, requires all EU countries to enforce uniform data privacy rules designed to safeguard personal information and provide a means for individuals to access, control, and delete their personal data.
Like the CCPA and California residents, the GDPR applies to companies that handle data on EU residents, regardless of where the company is based. GDPR also has stiff fines for violations, up to €20 million ($22 million) or 4 percent of global revenue, whichever is higher.
CCPA and GDPR give the individual the right to delete personal data held by a company, including in data backup systems.
One significant difference is that EU residents need to give prior consent before their personal data can be collected. In contrast, California residents do not have to give consent, but they can opt-out of data collection. Under CCPA, a company or website does not need prior approval from individuals before selling their data to a third party.