What is the New California Consumer Privacy Act? The Ultimate Guide

Last Updated by K. Andreas on November 20, 2018

Fresh off the heels of the EU’s General Data Protection Regulation (GDPR) that came into effect May 2018, the CCPA also lays out strict provisions to protect an individual’s data, and what businesses are permitted to do with it.

Many agree that these types of laws are long overdue. Data breaches at large companies have become commonplace over the last decade, with reports stating how millions of customers have had personal and private data stolen, hacked, leaked, or left unsecured due to negligence and oversight.

After the revelation in early 2018 that data firm Cambridge Analytica was actively involved in harvesting the Facebook user data of over 50 million people to aid a presidential campaign in 2014, the call for updated data privacy laws reached fever pitch. While there were some existing privacy laws within several US states at the time, they were swiftly becoming outdated, failing to keep up with the expansion of social media and how digital marketers and companies were using online data.

California Consumer Privacy Act
Perhaps not surprisingly, the state with the most significant tech presence spearheaded a movement towards legislation that would seek to curb what businesses and online entities could do with personal data. The California Consumer Privacy Act was established just a few months later.

When the CCPA goes into effect January 1, 2020, it will give consumers within California the right to request that companies disclose what data they have collected and demand they not sell or share it with a third party, plus the right to prosecute any company that violates the provisions.

The CCPA is now the most stringent data privacy protection law in the United States. As you can imagine, this will have significant implications on virtually every business that engages with the public, including Google, AT&T, Amazon, and more.

Background

Personal data is big business. Companies like Twitter, Facebook, and Google generate a large portion of their revenues using collected data for targeted ads.

ISPs like AT&T and Verizon collect online activity and web browsing data to create profiles for advertising while allowing further marketers to access their data for a fee.

Data firms like Epsilon, Oracle, and Experian turn a profit collecting web browsing data and selling it to third parties. While this is almost always with the intent of more effective advertising, it can still be considered invasive, and there’s the threat of a data breach.

The CCPA is intended to bring an end to data exploitation, forcing companies to be more open about collecting data, which will now rely almost entirely on concent.

The legislation was introduced as a ballot measure in California and was even more restrictive than what would later become the CCPA. Initially conceptualized in 2017, it moved to the forefront in 2018 following the Cambridge Analytica report. The ballot measure itself was the result of a signature drive among Californians.

A compromise was reached between the originators of the measure, the state legislature, and the governor, which involved the action being withdrawn if the newer CCPA was passed and signed into law by the end of June 2018. Since the CCPA is an act implemented by the state legislature, it can be further amended and refined leading up to the date it goes into effect, which appeased the larger companies in question.

What is the California Consumer Privacy Act?

The intention is to provide full transparency of data-collection while ending the free reign businesses have in collating a wide range of invasive information and profiting without consent.

In short, the CCPA protects a person’s online data, restricts what a business can do with it, and outlines consequences for companies who either fail to comply or fail to keep information confidential. It also forces companies to disclose what information they already have, and what they have done with it.

The Act is intended to penalize businesses that leak, or have data breached — something that has gone mostly unpunished until now.

Relevant Provisions of the California Consumer Privacy Act

You are free to read the CCPA; the following is a breakdown of the most critical provisions.

There are four main aspects which refer to the residents of California, and any businesses that interact with them, even if not based in the state.

  1. The right to know what personal data a business has collected of the individual. This also includes where the data was gathered, what use it has, if it’s going to be sold, and to whom.
  2. The right to willingly opt out of businesses selling personal data. This is automatic for children under 13, but children under 16 will need to opt-in.
  3. The right to request a business delete the data.
  4. The right to equal pricing and service from the business after opting out of data collection.

These provisions will be enacted in several ways:

  • Businesses must disclose their data collection within their legal privacy policies, or at the time data is collected, like when using their website. This disclosure must include the consumer’s rights under the CCPA, the data collected, the intentions for the collated data, and the categories of data the business has accumulated over the preceding 12 months, so the consumer has full disclosure.
  • Any business with the intention to sell consumer data to a third party must declare this upfront and provide a link on their homepage worded ‘Do Not Sell My Personal Information,’ allowing anyone to opt out.
  • All businesses must provide a minimum of two ways for a consumer to request information concerning what has occurred with their data. Contact must be via a phone number or a website, and businesses will have 45 days to respond.
  • Businesses are permitted to offer financial compensation to consumers for the collection and sale of their data.

What Qualifies as “Data” and “Personal Information” Covered by the CCPA?

personal data and information
The main scope of data and information referred to in the CCPA falls under several types and categories, including:

  • Name
  • Address
  • Government ID numbers
  • Goods and services purchases
  • Web browsing history
  • Geolocations
  • Education information
  • Employment information

Enforcement of the CCPA

The California Attorney General technically enforces the act itself. Civil penalties for businesses can climb up to $7,500 for each violation.

Consumers who have had their rights violated can seek damages individually, or with a class-action lawsuit. This is also true if their personal information and data have been compromised or unlawfully obtained due to negligence from the business. Damages can range from $100 to $750 per incident.

Which Businesses must Comply with the CCPA?

Not every business that has California customers will have the resources to comply with the CCPA. The criteria for a for-profit company to be included in compliance with the CCPA are as follows:

  • An annual gross income over $25 million
  • Receiving or disclosing personal data of over 50,000 California residents
  • Deriving 50% or more revenue solely from the selling of California resident data

What it Means for Businesses

The CCPA is a significant wake-up call for any business that deals with data collection and ad targeting on any level; a number which increases daily. The anything permitted attitude towards data collection is nearing the end, and businesses will need to adapt accordingly.

What CCPA Means for Businesses Businesses should begin planning how to comply with similar legislation as it affects them directly and develop smart incentives to convince customers to consent to the sharing of their data. In a way, these restrictions will encourage new marketing methods that are both compliant and fair.

Worth noting is how this legislation is currently only in the one state but forces countless businesses outside of California to comply, regardless as to where they’re located, as California residents must be protected. The immediate implications are nationwide, even reaching other countries. California is a massive economic player, with a GDP that surpasses some small countries, so any company wanting to continue business in the state, will need to comply by 2020.

A short-term fix may be to have a separate website for California IP addresses or an entirely different infrastructure to handle California customers, but this would be a waste of resources, as the provisions in the CCPA will soon be expanding.

What the CCPA Means for You

If you live in California, this is a significant achievement that will go a long way in providing expanded rights and data protection that is long overdue.

If you don’t live in California, rest assured that this act will serve as a model for other states, all expected to follow the example set. The state of Georgia already has new legislation in the works, with others sure to propose their own soon.

The CCPA is Great, but a VPN is a Better Solution

The California Consumer Privacy Act is a massive step in the right direction, however, using a VPN can sidestep nearly every long-standing issue the CCPA has sought to resolve.

A VPN keeps your connection and data secure and identity anonymous. When routed through a VPN, you don’t have to worry about business, government, or malicious party observing your activity and collecting data. A VPN is the only way to ensure the privacy of your data adequately.

So, if you live in California in January 2020 and you’re not using a VPN, your data is still not fully protected. If that applies to you, now would be a good time to start using one.

Get ExpressVPN Now

K. Andreas
K. Andreas is a US-based writer, editor, and researcher with a focus on cybersecurity and free speech laws in the digital realm abroad.