In late June, 2018, following the European Union’s groundbreaking General Data Protection Regulation (“GDPR”), California passed its own consumer privacy law, AB 375, that imposes its own set of requirements on U.S. companies with regard to consumer’s “personal information.” You can read more about GDPR here. The new California law, referred to as the California Consumer Privacy Act (“CCPA”), took effect on January 1, 2020 and established new, groundbreaking consumer privacy rights for California consumers. Fines for non-compliance of CCPA can add up quickly; these fines are in addition to any loss of goodwill or consumer trust – or expenses associated with responding to any compliance investigations.
What consumer “personal information” is protected by CCPA?
CCPA takes a broader view than the GDPR of what constitutes “personal information.” CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The words “relates” or “reasonably capable of being associated with/linked” open up a very large class of non-traditional personal identifiers, that goes beyond name, address, social security number, to include information such as email address, online social media handles, IP addresses, biometric information, geolocation data, browsing, and search history.
Who needs to comply to CCPA?
Companies that meet the following criteria must adapt their privacy policies and reporting to CCPA’s requirements:
- companies that serve or hire California residents;
- have $25 million or more in annual revenue;
- possess the personal data of more than 50,000 “consumers, households, or devices;” or
- earn more than half of its annual revenue selling consumers’ personal data.
What protection does CCPA give to consumers?
The CCPA gives California residents the following rights:
- to know what personal information is being collected about them;
- to know whether their personal information is sold or disclosed and to whom;
- to say no to the sale of personal information;
- to access their personal information;
- to equal service and price, even if they exercise their privacy rights;
The CCPA provides California residents with a right to be informed of the categories of personal information that a business collects or otherwise receives, like smartphone locations or voice recordings, that a company has on them sells or discloses about them; the sources of that data; the purposes for these activities; and the categories of parties to which their personal information is disclosed. CCPA also grants California consumers the right to request detailed information about the personal information a business holds specifically about them, which may include detailed logs of a person’s online activities, physical locations, ride-hailing routes, biometric facial data, ad-targeting data, and the right to obtain portable copies of their personal information from the business. CCPA also gives California consumers the right to prohibit a business from selling their personal information, and to request that a business delete their personal information.
When will enforcement start?
The CCPA took effect in California on January 1, 2020, with a six months grace period before enforcement of the law begins. Starting in July 2020, offenses of the CCPA will be assessed with fines.
Does compliance with GDPR ensure compliance of CCPA?
No. The CCPA and the EU’s GDPR do not share some same key requirements. Compliance with one does not imply or guarantee compliance with the other. The scopes, definitions, and requirements of the CCPA and the GDPR are different.
What to do if you think a business is misusing your personal information under the CCPA?
Starting July 2020, California consumers may bring a legal action for statutory damages ranging from $100 to $750 per violation or actual damages, whichever is greater. The California Attorney General may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional. No actual damage or specific evidence of identity theft is required. A CCPA plaintiff must inform the California Attorney General of the situation within 30 days of filing a CCPA lawsuit. The California Attorney General is the sole individual who has the power to delay or block such individual litigation under the CCPA.
Find out how Carbon Law Group can help you prepare for CCPA compliance by scheduling a meeting with us using this link.