What Do You Need to Know About CCPA?
Much like the European Union’s General Data Protection Regulation of 2018, the California Consumer Protection Act is yet another data privacy legislation that organizations must prepare for as they reexamine the way they collect, use, store, transmit, and protect data. But here’s what companies who interact with California consumers and residents must understand: while they may comply with the various other data privacy laws already being enforced, that does not mean they comply with CCPA. In fact, no matter how similar CCPA is with other data privacy laws – there are nuances between those laws to be accounted for. What does this mean for your organization? What do you really need to know about CCPA? Here are the five core components of the law.
1. What Is CCPA?
In June 2018, California Governor Jerry Brown signed into law AB 375, enacting The California Consumer Privacy Act of 2018 (CCPA). The purpose of CCPA is to give consumers more rights related to their personal data, while also requiring businesses to be more transparent about the way personal data is used and shared. Because of California’s reputation as a hub for technology development, this law speaks to the needs of its consumers which continue to evolve with technological advancements and the resulting privacy implications surrounding the collection, use, and protection of personal information. The law will go into effect on January 1, 2020. Please note that the law may be subject to legislative amendments and regulations that the California Attorney General’s Office creates. At the point of publication, the main legal requirements are:
- Consumer rights to access, deletion, non-discrimination, and opt-out of selling data
- Vendor contract requirements
- Implement and maintain reasonable security measures
2. Who Does CCPA Apply To?
Like with GDPR’s data subjects, the law doesn’t apply to only those businesses who are located within the state of California. Instead, the law applies to certain businesses who collect, use, receive or transmit the personal data of California consumers. Specifically, CCPA applies to for-profit businesses that do business in California and that meet any of the criteria:
- (A) Have annual gross revenues of over $25,000,000
- (B) Buy, sell, or share the personal information of 50,000+ consumers per year
- (C) Derive 50% or more of their annual revenues from selling consumers’ personal information
3. Who Enforces CCPA?
The CCPA is far less ambiguous than other data privacy laws when it comes to who is enforcing the law. According to the American Bar Association, “The CCPA is enforceable both by the Attorney General for the State of California and by private litigants. However, the Act contains technical terms regarding when and how a consumer can bring a private action under the statute.”
4. What are the Penalties for Non-Compliance?
The penalties for non-compliance with CCPA depend on the entity issuing the penalty. If consumers pursue a private, class-action lawsuit, statutory damages could be between $1,000 to $3,000 or actual damages, whichever is greater. If the Attorney General issues fines for non-compliance, companies may be liable for paying fines up to $7,500 per violation. Additionally, in the event of a data breach, consumers can recover damages between $100-$750 per consumer per incident.
5. What are the Exemptions to CCPA?
According to AB 371 Section 1798.145, there are six exemptions to complying with CCPA. Complying with the law should not hinder a business’ ability to:
- Comply with federal, state, or local laws
- Comply with civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities
- Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law
- Exercise or defend legal claims
- Collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information
- Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California