The California Consumer Privacy Act Overview
The California Consumer Privacy Act (“CCPA”) entered into force on January 2020, bringing with it increased data protection obligations on any business collecting personal data from Californian based consumers. Although similar to the European GDPR the CCPA differs in many ways as it takes a broader view of what constitutes personal data and includes information security. This blog is intended to provide a brief high-level overview.
Who does the CCPA apply to?
The legislation (much like the GDPR) applies to organisations regardless of where they are established if they operate for-profit and;
The organisation must also qualify under one of the following criteria:
What obligations are imposed on qualifying organisations?
Enhanced consumer rights
Shadowing the expansion of data subject rights under the GDPR, the CCPA requires qualifying organisations to increase the control that consumers have over their personal information, this includes the ability to request deletion of their personal information (subject to certain exceptions) and details of what information the organisation held in the previous 12 months including:
Methods of consumer requests
Organisations are required to provide a simple method for individual consumers to contact them and request information regarding their personal information.
Businesses are also required to verify consumer identities prior to releasing their information. The methods of verification will be issued by the Californian Attorney General (who regulates the CCPA and its sub-ordinate laws).
Regulating the sale of consumer information
Consumers must be notified of any potential sale of their personal information and given the ability to opt-out. Any business selling such data must have a clear “Do Not Sell My Personal Information” link on the organisation’s website which allows consumers to select an opt-out for such a sale of their data. There are more stringent rules for the sale of personal information of any consumer under 16 (requiring an “opt-in”), which must be given by a parent if the consumer is under 13 years of age. Importantly, consumers must not be discriminated against for choosing to opt-out or not opt-in to a sale of their personal information.
Record Keeping and Service Providers
The CCPA mandates specific periods of retention for consumer requests and there are certain terms that must be included in service provider contracts to prevent the onward sale of consumer data.
The California Attorney General is able to impose a fine of up to $2,500 for an unintentional violation, and up to $7,500 for an intentional violation. As each individual affected constitutes a violation, this means the maximum CCPA fines could dwarf those of GDPR.
The legislation also allows a course of action for individual consumers to sue organisations for failing to adequately implement sufficient safeguards under the CCPA.
If your business qualifies as being under scope of the CCPA, it is essential that you consider what actions you will need to take to ensure compliance prior to the California Attorney General beginning full enforcement in July 2020. The above measures should be used as guidance only and are not an exhaustive list of all the obligations under the legislation, and these should be combined with the advice of qualified local advisors.