On June 28, 2018, California enacted one of the country's most comprehensive laws protecting consumers' personal information online. Inspired by the EU's GDPR, the California Consumer Privacy Act of 2018 (CCPA) came into play and took effect on January 1, 2020.
This law came about largely because of consumer backlash to the lack of control over how their personal data is used online, lack of transparency on the part of businesses, and multiple data breaches that compromised consumers' personal information.
The CCPA will certainly make for some significant changes when it comes to how business is done online for nearly all businesses, not just those located within the state of California.
- 1. Who Does the California Consumer Privacy Act Affect?
- 2. What Does the New Law Change?
- 3. Highlights of the CCPA
- 4. How to Comply with the CCPA
- 4.1. Duty to Disclose
- 4.2. Duty to Allow Access
- 4.3. Duty to Delete
- 4.4. Duty to Allow Opting-Out
- 4.5. Duty to Provide Equal Service
- 5. CCPA Enforcement
- 6. Conclusion
Who Does the California Consumer Privacy Act Affect?
The CCPA is meant to protect the citizens of California. Specifically, businesses that do more than $25 million in revenue there or that have more than 50,000 unique California visitors per year would be subject to the law - not just businesses that are physically located within the state.
What this means is, any business that either does a decent amount of online business in California or deals in the personal data of a fairly significant number California customers should be concerned with the new law.
What Does the New Law Change?
The CCPA strengthens consumer rights when it comes to transparency about how data is being used. It also increases consumer rights when it comes to what a business can use data for and how consumers can opt out of having their data used. Additional protections for minors are included. The California Attorney General will be authorized to enforce the law through fines, while consumers will be able to sue for damages caused by data breaches.
If you're familiar with the GDPR, you can surely see the similarities here.
There will surely be a shakeup of existing business models for online businesses because of the CCPA.
Highlights of the CCPA
Here are some of the highlights of the CCPA and how consumers can benefit:
- The CCPA allows consumers to request what specific personal data is being collected about them when they visit a website. This differs from the type of information that would be disclosed in the first category in that it would be the specific information the company has about the specific consumer rather than a category of information that was shared or collected about them and everyone else.
- The CCPA would allow for consumers to opt-out of having their data shared with third parties.
- The CCPA provides additional protections for minors by providing that websites must allow minors ages 13-16 to only opt-in to having their personal data shared. For children under the age of 13, businesses must obtain parental permission before sharing personal information.
- The CCPA forbids discrimination against those using the law to protect their rights. An example of this would be charging different prices or restricting access to someone who opts-out.
- The CCPA allows consumers to sue for damages due to a data breach, such as when their sensitive personal information is compromised. It also establishes a way for the California Attorney General to levy fines for violating the CCPA.
The basic idea behind the law is to give consumers more control over, and access to, their personal data. The law also allows for increased penalties for businesses that don't follow the consumers' wishes about what happens to their data.
How to Comply with the CCPA
To comply with the new law, businesses really need to get a good idea about the rights that it creates for consumers along with the duties it creates for businesses.
There are basically five provisions created by the law that create duties for businesses:
- Duty to disclose
- Duty to allow access
- Duty to delete
- Duty to allow opting-out
- Duty to provide equal service
Duty to Disclose
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Here's an excerpt from Section 1798.110 that sets this requirement:
Additionally, consumers are allowed under the CCPA to make individual requests about their data. This means that a business must turn over information about that consumer's individual data from the previous 12 months if asked.
Included in this disclosure are the categories, but not the specific types, of data that are being collected on a consumer and the types of third parties that the data may be getting shared with.
Some examples of categories of data may include IP Address, physical location, browsing history, search history, or other such information that could be used to identify a consumer.
Duty to Allow Access
With the CCPA, consumers will now be able to request from businesses which specific data is being gathered about them.
Not only does this mean that a business would have to turn over this information if asked, it also implies that a business has a duty to preserve this information in case it needs to be disclosed in the future. This does not mean that data needs to be stored indefinitely. It only needs to be stored for the last 12 months, which is what the consumer is entitled to under the law.
This also differs from the disclosure of categories of information about an individual that must be turned over if asked. These types of requests would include the specific data gathered, such as a consumer's specific IP address or name.
Duty to Delete
Except for a limited number of reasons, such as completing a contract between the parties or to maintain data security, a business must delete a consumer's personal data from their servers or service providers if requested.
Note that there are a number of exceptions to this, including things like detecting security threats, complying with legal obligations and completing a transaction for which the information was collected:
Duty to Allow Opting-Out
Additionally, for minors ages 13-16, personal data cannot be shared unless the consumer specifically "opts-in," offering them a higher level of protection. For children under the age of 13, a business must obtain parental permission before sharing any personal data.
Businesses must take care to keep personal data of those who opt-out separate from those who do not. Businesses should also take care to keep Californians' data separate from non-Californians.
Duty to Provide Equal Service
The new law specifically forbids discrimination against those who exercise their rights under the law. Included in the definition of of discrimination would be restricting access or charging different prices to those who opt-out.
Not included as a type of discrimination would be providing financial incentives for providing personal data to a website, such as offering a coupon code or other discount.
Additionally, businesses are allowed to charge different amounts to customers who do not provide their data or restrict access if there is some value to be gained by the consumer for providing their personal data.
The California Attorney General is in charge of enforcing the CCPA.
When a business is given notice of a violation, it is given 30 days to remedy it. If it is not remedied in that 30 days, there is a fine of up to $2,500 for each violation. For intentional violations, there could be an additional $7,500 fine for each violation.
The law also allows consumers to sue for some data breaches, such as when Social Security Numbers, medical information, or credit card numbers are compromised due to a business failing to put in place reasonable security measures.
Consumers affected by a data breach can sue for $100-$700 per violation or for actual damages, whichever is higher.
There is a changing climate when it comes to how people want their personal information to be handled online. The CCPA is destined to change how all online business is conducted. For any business with a web presence in California, this law cannot be ignored.
The CCPA gives consumers greater transparency when it comes to how their data is being handled. It allows them to request disclosure of what data is being collected and who it is being shared with. It also allows consumers to opt out of having their data shared with third parties or request it be deleted altogether. The CCPA also offers increased protections for minors. Finally, the CCPA would allow the California Attorney General to enforce the law and allow consumers to sue for damages caused by data breaches.