Perhaps one of the most severe US regulations targeting firms in Silicon Valley, the California Consumer Privacy Act (AB-375 or CCPA) is predicted by many to be more influential than the General Data Protection Regulation of 2018.
In response to the growing number of businesses mismanaging and exploiting private data, the CCPA was signed in 2018 to ensure that organizations only use personal information for business purposes. Additionally, the CCPA empowers Californians to request, delete, or protect any personal information collected by businesses. Functionally, the CCPA seeks to inform consumers about their collected data, third parties who have access to it, and sources of personal data.
Enterprises required to comply with the CCPA must conduct business with California residents and satisfy one of the three following criteria
- Has an annual gross revenue of over $25 million
- Purchases, receives for commercial reasons, sells, or shares for commercial reasons, alone or in combination, the personal information of over 50,000 consumers, households, or devices
- Derives over 50% of annual revenue from selling
So long as a company meets one of the above requirements, then it is required by the CCPA to inform consumers of the type of personal data collected and the purpose of its collection.
The CCPA seeks to empower consumers by granting them the right to request that businesses reveal any of the following:
- Any data collected about the consumer
- Categories of sources from which their information is collected
- Any business purpose for the collection or selling of that information
- Third parties with which personal information is shared
The CCPA also clarifies the meaning of business purpose as the following:
- Any auditing or verification related to transactions
- Detecting security incidents, fraud prevention, or illegal activity
- Debugging used for identification and repairs
- Transient use (short-term)
- Performing services on behalf of the business or service provider
The CCPA also requires companies to provide consumers with a form on the company website allowing consumers to opt-in or out of data sharing. If consumers cannot find out how their information is being collected or get copies of that information, they may take legal action. Other consumer rights include:
- deletion
- opting out of the sale of data
- Not be subjected to discrimination for the exercise of rights
- Data portability
CCPA expands the definition of sensitive data to include households. It defines personal information as information that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” (CCPA Section 1798.140). This means that under the CCPA, data that does not contain a name but still contains other information that could reasonably be used to identify or relate to an individual household could be subject to CCAP protections. By contrast, before the CCPA, data that did not include a consumer’s name would not trigger a data breach notification in California if accessed or used inappropriately.
CCPA Violation Penalties
Since going into effect on January 1, 2020, the CCPA has allowed organizations a 45-day grace period to respond to verified consumer requests. If an organization fails to address a violation within 30 days of notification, the California general attorney may penalize the organization for up to $7,500 per violation.