- DPO's Blog
What is the California Consumer Protection Act (CCPA)?
By eleanor blackwood
Thu 23 July 2020
What is the CCPA?
CCPA stands for the California Consumer Privacy Act. It came into effect on January 1st 2020, and the enforcement date was July 1st 2020.
The CCPA sets new standards for data collection and outlines new rights for California consumers that they can exercise to protect their data. It also sets out the consequences for businesses who fail to protect their customers’ data.
Is the CCPA like GDPR?
The CCPA is largely an altered version of GDPR, but it’s mainly in place to protect consumers rather than individuals. Unlike GDPR, which protects ‘personal data’, the CCPA refers to 'personal information'. This definition means the CCPA protects any information that can identify an individual consumer or household, rather than any person. You can read more about the similarities and differences between the two here.
Who does the CCPA apply to?
The CCPA actually only applies to a specific group of businesses.
The criteria are:
- Any ‘for profit’ organisation that does business in California
- Has an annual gross revenue of over $25 million &
- Buys, receives, sells or shares the personal information of at least 50,000 consumers, households or devices.
- Must make over half of it’s annual revenue from selling their consumer’s personal information.
What are your rights under the CCPA?
The CCPA is an extremely important law for consumers. It’s the first time in American history individuals have the right to know what companies know about them, decide to delete this information and to prevent it from being sold.
Here are you rights as a consumer under the CCPA:
- Right to transparency; to know the information about processing and to know details of processing.
- Right to opt out of the sale of personal information.
- Right to non discrimination for exercising consumer rights; for example, a business can’t just start charging you more or treating you differently just because you start practicing your consumer rights.
- Right to delete personal information.
- Minor’s right to opt in to the sale of their personal information.
- Direct private right of action for certain data breaches. This is a big one that’s made some organizations very fearful for their business, we'll go into this a bit later on.
What happens if there's a CCPA violation?
Companies are taking the CCPA very seriously. The California Attorney General (AG), Xavier Becerra, who is responsible for enforcing the CCPA said:
‘I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you’.
Some of the things that businesses have to do under the CCPA, which link to the consumer rights we mentioned above, are to have a ‘do not sell my personal information’ link on their homepage, always disclose to consumers that they sell or share their information and, in the event of a merger, offer consumers an opt out for the continued processing of their information.
If a business that falls within the scope of the CCPA doesn't have a ‘do not sell my personal information’ link on their website, this would be a violation of the law. In this case, businesses are first notified. Then they have 30 days to ‘cure’ the violation i.e. fix it. If they don’t cure it, the AG can bring an enforcement action of up to $2,500 for each violation and $7,500 for intentional violations.
What’s the global reach of the CCPA?
Although based in California, the CCPA still has a global impact because of the significant number of large tech companies in California, such as Facebook, Apple and Google. California is, after all, the Golden State. It has the largest economy in the US and if it were a sovereign nation, it would have the fifth biggest economy in the world.
There’s also a feeling that the CCPA is only a test run, and it may eventually become federal law nationwide. For example, Microsoft has pledged to extend the CCPA’s core rights to users across the country.
What was the reaction in California to the CCPA?
For many consumers in California, the CCPA was a long time coming. Frequent and massive data breaches, such as the Cambridge Analytica scandal, meant new data privacy laws were needed. Privacy activist Alastair Mactaggart was one of those consumers, and he successfully spurred the adoption of the CCPA in 2019 with his campaign that obtained 600,000 signatures- twice as many as he needed to bring the matter to a referendum. A very strong show of support.
But, the CCPA targets very well funded opposition, and companies like Facebook, Google and Uber strongly opposed the adoption of the CCPA in 2019. Some arguments opposing the law said that allowing anyone to sue over violations of the law could put a lot of extra burden on the court system or cost too much. To which State Senator Hannah-Beth Jackson replies: ‘People should be able to exercise their rights, and remember, privacy is a constitutional right’, adding that the court system has protections against lawsuits that have no merit anyway.
There are also many privacy advocates who still see flaws in the CCPA. Mactaggart launched a new ballot initiative to give consumer’s stronger rights to their sensitive information (stronger protections for this exist in GDPR but are not mentioned in the CCPA), and commented: ‘I hope it’s not a situation where we have another $6 trillion market cap opposition’. Jackson also finds issue with the fact that the only way a consumer can sue under the CCPA is through the AG, ‘meaning the attorney general becomes the attorney for 40 million people. That’s ridiculous’. It seems likely given these complications that we'll see some significant changes made to the CCPA in the future.
The California Consumer Privacy Act sets new standards for data protection and has given consumer’s more data privacy rights than ever before, and companies are taking the law very seriously because of the legal consequences they can now face for violating the law.
But, there are still areas of it that may need improving- this can, and has, faced a lot of opposition from businesses who, essentially, risk losing at least 50% of their revenue.