California Consumer Privacy Act
The European Union’s General Data Protection Regulation (GDPR) has been a lightning rod in the debate over online privacy and data security since it went into effect in May of 2018. Another act aimed at privacy and data security has passed in California went into effect in January 2020.
California’s legislature passed the California Consumer Privacy Act (CCPA) in light of issues about security and privacy coming to the forefront. The goals of the Act are summarized in 5 points. Citizens should be able to:
1. Know what personal data is being collected about them.
2. Know whether their personal data is sold or disclosed and to whom.
3. Say no to the sale of personal data.
4. Access their personal data.
5. Equal service and price, even if they exercise their privacy rights.
The act applies to companies that do business in California, whether they are located in the state or not. In addition to doing business in California, companies also must satisfy one of these requirements:
– Annual gross revenues in excess of $50,000,000
– Sell personal information of 100,000 or more consumers or devices
– Derive 50 percent or more of its annual revenues from selling consumers’ personal information’
One goal for the drafters of the Act was to target large corporations and businesses whose model relies on buying and selling personal information.
The obligations for companies under the act involve keeping data privacy and consent.
Data Access: Companies must provide a clear way for people to request what information is available on them.
A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
After receiving the request, the company must send the information in an easily understood format. Consumers are limited to two requests in a 12-month period.
A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section.
Data Clarity: Companies must specify what the data being collected will be used for.
A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
Data Security: Companies must delete data if requested. This is not the same as the “right to be forgotten” however.
A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
The act requires companies to give people the right to opt out of having their personal data sold to 3rd parties.
A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.
Non-Discrimination: The Act states that companies cannot discriminate against people who do not opt to share data or request deletion. This aspect might be complicated due the element that allows for companies to incentive collection.
A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
The company is in violation if a person’s personal information is stolen or disclosed as a result of a:
Business’ violation of the duty to implement and maintain reasonable security procedures and practices.
Companies are at risk of being fined $750 per user, per violation. For example, If a violations happens that affects 100,000 user emails, the fine can total $75 million. In addition, if a business fails to correct a deficiency within 30 days of notice, they can be charged with a $7,500 civil penalty.
The exact interpretation and implementation of the act will become clear only after it becomes law. To get a start on how you can make sure your data is secure, contact us for a consultation.