The California Consumer Privacy ActThe California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. The California Privacy Rights Act (CPRA) amends and expands the CCPA by introducing new privacy rights for consumers. Overview
The California Consumer Privacy Act (“CCPA”) entered into force on January 2020, bringing with it increased data protection obligations on any business collecting personal dataInformation which relates to an identified or identifiable natural person. from Californian based consumers. Although similar to the European GDPR the CCPA differs in many ways as it takes a broader view of what constitutes personal data and includes information security. This blog is intended to provide a brief high-level overview.
Who does the CCPA apply to?
The legislation (much like the GDPR) applies to organisations regardless of where they are established if they operate for-profit and;
The organisation must also qualify under one of the following criteria:
What obligations are imposed on qualifying organisations?
Notification
Much like the GDPR, the CCPA imposes minimum requirements on the type of information that must be provided to consumers prior to (or at) the time of collection. Much of this information will already be in place as part of a GDPR compliant Privacy NoticeA clear, open and honest explanation of how an organisation processes personal data., but the CCPA provides additional details that must be issued to consumers. This includes a Privacy Policy (Notice), which must be updated at least once every 12 months containing details of;
Enhanced consumer rights
Shadowing the expansion of data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. under the GDPR, the CCPA requires qualifying organisations to increase the control that consumers have over their personal information, this includes the ability to request deletion of their personal information (subject to certain exceptions) and details of what information the organisation held in the previous 12 months including:
Methods of consumer requests
Organisations are required to provide a simple method for individual consumers to contact them and request information regarding their personal information.
Businesses are also required to verify consumer identities prior to releasing their information. The methods of verification will be issued by the Californian Attorney General (who regulates the CCPA and its sub-ordinate laws).
Regulating the sale of consumer information
Consumers must be notified of any potential sale of their personal information and given the ability to opt-out. Any business selling such data must have a clear “Do Not Sell My Personal InformationInstruction from the data subject in multiple US States (including California, Utah, Virginia, Nevada, and others) explicitly expressing that their personal data should not be sold or monetised.” link on the organisation’s website which allows consumers to select an opt-out for such a sale of their data. There are more stringent rules for the sale of personal information of any consumer under 16 (requiring an “opt-in”), which must be given by a parent if the consumer is under 13 years of age. Importantly, consumers must not be discriminated against for choosing to opt-out or not opt-in to a sale of their personal information.
Record Keeping and Service Providers
The CCPA mandates specific periods of retention for consumer requests and there are certain terms that must be included in service provider contracts to prevent the onward sale of consumer data.
Penalties
The California Attorney General is able to impose a fine of up to $2,500 for an unintentional violation, and up to $7,500 for an intentional violation. As each individual affected constitutes a violation, this means the maximum CCPA fines could dwarf those of GDPR.
The legislation also allows a course of action for individual consumers to sue organisations for failing to adequately implement sufficient safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... under the CCPA.
Actions
If your business qualifies as being under scope of the CCPA, it is essential that you consider what actions you will need to take to ensure compliance prior to the California Attorney General beginning full enforcement in July 2020. The above measures should be used as guidance only and are not an exhaustive list of all the obligations under the legislation, and these should be combined with the advice of qualified local advisors.