The California Consumer Privacy Act (CCPA) regulates the processing of California consumers’ personal data, regardless of where a company is located. CCPA provides broader rights to consumers and stricter compliance requirements for businesses than any other US state or federal privacy law.
CCPA is about giving individuals control over how their personal data is used by organisations. It requires transparency about how such data is collected, used and shared. It gives Californian consumers various rights including the right to:
- Know and access the personal data being collected about them;
- Know whether their personal data is being sold, and to whom;
- Opt out of having their personal data sold;
- Have their personal data deleted upon request; and
- Avoid discrimination for exercising their rights.
CCPA also requires the notification of each individual affected by a security breach involving personal data. It does not matter if the data is maintained in California or not.
CCPA is often called the US equivalent of the EU’s General Data Protection Regulation (GDPR). Both laws give individuals rights to access and delete their personal information. In some respects, however, CCPA does not go as far. For example, it only applies to for-profit entities, it does not require a legal basis for processing personal data (like article 6 of GDPR), there are no restrictions on international transfers and there is no requirement to appoint a data protection officer.
Unlike GDPR, CCPA does not have a regulator like the information commissioner in the UK. It is primarily enforced by California’s attorney general (AG) through the courts, although there is a private right of action for a security breach. The courts can impose fines for breaches:
- $2,500 for an unintentional and $7,500 for an intentional breach.
- $100-$750 per incident per consumer – or actual damages, if higher – for damage caused by a security breach.
A business shall only be in breach of the CCPA if it fails to cure any alleged breach within 30 days of being notified.
While CCPA fines and damages may appear relatively low, it is important to note that they are per breach. A privacy incident can affect thousands or tens of thousands of consumers, in which case it could cost a company hundreds of thousands or even millions of dollars.
Two big US companies are already facing a class action lawsuit alleging CCPA violations. Both suffered a data breach that compromised the names, addresses, and credit card information of more than 10,000 California residents, which were then sold on the ‘dark web’. The lawsuit claims the companies failed to protect consumer data, provide adequate security measures and safeguard their systems from attackers, as well as delayed notification of the breach.
During the pandemic, there has been more use of video chat and conferencing apps to stay connected. There are class actions against two videoconferencing companies claiming they failed to obtain consent from customers for the disclosure of their personal information to third parties such as Facebook.
The California State Assembly held a hearing on 12 June on the California Privacy Rights Act (CPRA) ballot initiative. Californians for Consumer Privacy, an advocacy group, has gathered more than 900,000 signatures to place CPRA on the ballot in November. If enacted, CPRA will significantly amend CCPA and further expand privacy rights of California consumers, as well as the compliance obligations of California businesses.
CPRA will, among other things, permit consumers to prevent businesses from sharing (in addition to selling) their personal data; correct inaccurate personal data about them; and limit businesses’ use of ‘sensitive personal information’ (‘special category data’ under GDPR). This includes information about race, ethnicity, religion, union membership and biometric data.
The proposed law will prohibit businesses from collecting and using personal information for purposes incompatible with the disclosed purposes, and from retaining personal information longer than reasonably necessary. Readers with knowledge of GDPR will agree that this new law is even more like GDPR than CCPA.
CPRA will also establish a new California Privacy Protection Agency, which will be tasked with enforcing and implementing consumer privacy laws and imposing administrative fines. If enacted, it will become operative on 1 January 2023, although its obligations would only apply to personal data collected after 1 January 2022.
A federal privacy law?
CCPA represents the first real, comprehensive privacy legislation in the US. It will, no doubt, form the foundation of other state privacy regulations and quite possibly a US federal privacy regulation.
Proactive businesses are already considering CCPA as a de facto US privacy law. Microsoft recently announced that it will apply the main CCPA rights to all its customers in the US.
Nevada residents also now have more control over how their personal information is used. Senate Bill 220 gave consumers more power to keep websites from selling their information to third-party firms.
CCPA’s impact will be felt not just by California-based businesses. Any business that processes personal data about Californian consumers needs to re-evaluate its privacy practices. With 40 million Californian residents making up 12% of the US population, it is likely that most big businesses will have to comply with the CCPA, wherever they are based.
With substantial fines and penalties for breaches, and a six-month ‘look back’ period, now is the time to implement CCPA compliance measures.
Ibrahim Hasan is a solicitor and director of Act Now Training