What is the New California Consumer Privacy Act? The Ultimate GuideLast Updated by K. Andreas on November 20, 2018
Fresh off the heels of the EU’s General Data Protection Regulation (GDPR) that came into effect May 2018, the CCPA also lays out strict provisions to protect an individual’s data, and what businesses are permitted to do with it.
After the revelation in early 2018 that data firm Cambridge Analytica was actively involved in harvesting the Facebook user data of over 50 million people to aid a presidential campaign in 2014, the call for updated data privacy laws reached fever pitch. While there were some existing privacy laws within several US states at the time, they were swiftly becoming outdated, failing to keep up with the expansion of social media and how digital marketers and companies were using online data.
Perhaps not surprisingly, the state with the most significant tech presence spearheaded a movement towards legislation that would seek to curb what businesses and online entities could do with personal data. The California Consumer Privacy Act was established just a few months later.
When the CCPA goes into effect January 1, 2020, it will give consumers within California the right to request that companies disclose what data they have collected and demand they not sell or share it with a third party, plus the right to prosecute any company that violates the provisions.
Personal data is big business. Companies like Twitter, Facebook, and Google generate a large portion of their revenues using collected data for targeted ads.
ISPs like AT&T and Verizon collect online activity and web browsing data to create profiles for advertising while allowing further marketers to access their data for a fee.
Data firms like Epsilon, Oracle, and Experian turn a profit collecting web browsing data and selling it to third parties. While this is almost always with the intent of more effective advertising, it can still be considered invasive, and there’s the threat of a data breach.
The CCPA is intended to bring an end to data exploitation, forcing companies to be more open about collecting data, which will now rely almost entirely on concent.
The legislation was introduced as a ballot measure in California and was even more restrictive than what would later become the CCPA. Initially conceptualized in 2017, it moved to the forefront in 2018 following the Cambridge Analytica report. The ballot measure itself was the result of a signature drive among Californians.
A compromise was reached between the originators of the measure, the state legislature, and the governor, which involved the action being withdrawn if the newer CCPA was passed and signed into law by the end of June 2018. Since the CCPA is an act implemented by the state legislature, it can be further amended and refined leading up to the date it goes into effect, which appeased the larger companies in question.
What is the California Consumer Privacy Act?
The intention is to provide full transparency of data-collection while ending the free reign businesses have in collating a wide range of invasive information and profiting without consent.
In short, the CCPA protects a person’s online data, restricts what a business can do with it, and outlines consequences for companies who either fail to comply or fail to keep information confidential. It also forces companies to disclose what information they already have, and what they have done with it.
The Act is intended to penalize businesses that leak, or have data breached — something that has gone mostly unpunished until now.
Relevant Provisions of the California Consumer Privacy Act
You are free to read the CCPA; the following is a breakdown of the most critical provisions.
There are four main aspects which refer to the residents of California, and any businesses that interact with them, even if not based in the state.
These provisions will be enacted in several ways:
- Businesses must disclose their data collection within their legal privacy policies, or at the time data is collected, like when using their website. This disclosure must include the consumer’s rights under the CCPA, the data collected, the intentions for the collated data, and the categories of data the business has accumulated over the preceding 12 months, so the consumer has full disclosure.
- Any business with the intention to sell consumer data to a third party must declare this upfront and provide a link on their homepage worded ‘Do Not Sell My Personal Information,’ allowing anyone to opt out.
- All businesses must provide a minimum of two ways for a consumer to request information concerning what has occurred with their data. Contact must be via a phone number or a website, and businesses will have 45 days to respond.
- Businesses are permitted to offer financial compensation to consumers for the collection and sale of their data.
What Qualifies as “Data” and “Personal Information” Covered by the CCPA?
The main scope of data and information referred to in the CCPA falls under several types and categories, including:
- Government ID numbers
- Goods and services purchases
- Web browsing history
- Education information
- Employment information
Enforcement of the CCPA
The California Attorney General technically enforces the act itself. Civil penalties for businesses can climb up to $7,500 for each violation.
Consumers who have had their rights violated can seek damages individually, or with a class-action lawsuit. This is also true if their personal information and data have been compromised or unlawfully obtained due to negligence from the business. Damages can range from $100 to $750 per incident.
Which Businesses must Comply with the CCPA?
Not every business that has California customers will have the resources to comply with the CCPA. The criteria for a for-profit company to be included in compliance with the CCPA are as follows:
- An annual gross income over $25 million
- Receiving or disclosing personal data of over 50,000 California residents
- Deriving 50% or more revenue solely from the selling of California resident data
What it Means for Businesses
The CCPA is a significant wake-up call for any business that deals with data collection and ad targeting on any level; a number which increases daily. The anything permitted attitude towards data collection is nearing the end, and businesses will need to adapt accordingly.
Worth noting is how this legislation is currently only in the one state but forces countless businesses outside of California to comply, regardless as to where they’re located, as California residents must be protected. The immediate implications are nationwide, even reaching other countries. California is a massive economic player, with a GDP that surpasses some small countries, so any company wanting to continue business in the state, will need to comply by 2020.
A short-term fix may be to have a separate website for California IP addresses or an entirely different infrastructure to handle California customers, but this would be a waste of resources, as the provisions in the CCPA will soon be expanding.
What the CCPA Means for You
If you live in California, this is a significant achievement that will go a long way in providing expanded rights and data protection that is long overdue.
If you don’t live in California, rest assured that this act will serve as a model for other states, all expected to follow the example set. The state of Georgia already has new legislation in the works, with others sure to propose their own soon.
The CCPA is Great, but a VPN is a Better Solution
The California Consumer Privacy Act is a massive step in the right direction, however, using a VPN can sidestep nearly every long-standing issue the CCPA has sought to resolve.
So, if you live in California in January 2020 and you’re not using a VPN, your data is still not fully protected. If that applies to you, now would be a good time to start using one.