The Main Things To Know About The CCPA
Despite being a technology cluster and hosting many of the world’s largest tech companies, it was only in 2018 that the state of California (US), passed a law regarding the consumer’s privacy rights: the California Consumer Privacy Act (CCPA), enforced since January 2020.
The main scope of the CCPA is to grant California’s residents — or consumers, as the regulation names them — a new set of rights concerning their personal data while imposing certain obligations on companies that match the regulation’s criteria.
Just like its European counterpart — the GDPR — the CCPA also incorporates the consumer’s rights to know, access, transfer, and delete their personal data, along with penalties to non-compliant enterprises and the right to opt-out from consent.
However, if you’re part of a company that does business in California or that treats personal data belonging to California residents, there are some particularities to the CCPA you need to be aware of for compliance.
Here are the most important things to know about the CCPA.
- Businesses don’t have to be located in California to be reached by the CCPA.
Regarding the CCPA’S territorial limits, it is important to stress that its scope isn’t defined by the company’s location. According to the California privacy law, its enforcement reaches every company that does business in the state of California or that processes data from Californian residents, no matter where the business’ offices are located.
In this sense, even if your company is located in another state or country, whenever it remotely does business in California or treats data from an individual that resides in California, it has to follow the CCPA’s principles and may be subject to its imposed penalties in case of a data privacy incident.
2. Not every business that treats data from Californian consumers is impacted by the CCPA.
To be a subject to the CCPA’s principles and obligations, the company needs to match one of the requirements brought by the regulation itself, meaning not every enterprise which does business with Californian consumers is necessarily affected by the act.
Any for-profit business collecting and treating data from Californian residents will only fall under the CCPA’s scope if it fits at least one of the criteria below:
- Has a gross revenue greater than $25 million;
- Buys, sells, or commercially share personal data from more than 50.000 California consumers, households, or devices within a year, or
- Derives more than 50% of its annual revenue from selling consumer’s information.
It is important to stress that even if a business doesn’t match any of the requirements above, it will also fall under the scope of the CCPA if it’s an entity that controls or is controlled by a covered business or if it shares common branding — such as name or trademark — with a covered business.
3. Some types of personal data aren’t covered by the CCPA’s protection.
The CCPA’s individual rights cover various types of personal data, such as any information that can be linked to an individual or household: name, social security number, e-mail address, fingerprints, internet browser history, purchase history, geolocation information, among many others that could be used to create a profile.
Despite that, unlike other regional privacy regulations such as the Brazilian LGPD and the European GDPR, which include every type of information related or relatable to an individual under their protection, the CCPA excludes some types of personal data of its regulation scope, such as:
- Information obtained in medical researches or clinical tests;
- Medical information;
- Publicly available personal information;
- Credit activity information from an individual sold by independent entities that collect, compile, and provide credit-issuing business with this data;
- Consumer’s financial information treated by financial entities; and
- Information collected and treated by the American state’s Departments of Motor Vehicles.
This exclusion doesn’t mean these types of personal data won’t be protected under the American laws, but that other specific regulations other than the CCPA are applied, such as the Gramm-Leach-Bliley act for financial information and the Driver’s Privacy Protection Act for the driver’s personal information.
4. The right to opt-out from personal information sales.
The CCPA expressly created the Controller’s obligation to allow the consumer’s exercise of the right to opt-out from any business’ activities involving selling his personal data to third parties, at any time, for 12 months.
According to the Californian regulation, the right to opt-out is a very specific right that applies only when the business is selling personal information and must not be mistaken with the individual’s right to consent with having his or her personal data collected and treated by a business.
In this sense, it is a wise practice for companies to insert a disclaimer in their website home page, contracts, and other documents allowing consumers to check the “Do not sell my data” box and opt-out from any selling activities.
It is important to notice that the term “selling” isn’t limited by the classic meaning of the word but it is broadly used within the CCPA to define activities in which the company sells, rent, make available, transfers or communicates personal information with third parties, by any means, in exchange for monetary and other forms of compensation.
Be aware that the correct interpretation of the CCPA articles can present a challenge for the companies that wish to map their data activities, define which processes consist of personal data sales and when it is necessary to concede the consumers the right to opt-out.
5. Private Lawsuits.
Regarding the consequences of data breaches and information security incidents to a business, not only the companies can be fined by the Central Consumer Protection Authority for up to U$ 2.500 for each unintentional violation or U$ 7.500 per intentional violation, the CCPA allows consumers to bring a direct lawsuit against the responsible company and seek damage compensations in between U$ 100 and U$ 750 per consumer and incident.
Under the terms of the regulation, the state’s Attorney General can also trigger cases against companies that intentionally provoke privacy violations and sue them for up to U$ 7.500 per violation, which was the case in the Cambridge Analytica’s scandal.
Since the CCPA doesn’t settle a maximum amount of penalties per-incident and because it empowers individuals to claim their rights without the Authority’s intervention, the total fee can vary widely, depending on the amount of personal information damaged, and can reach enormous amounts of monetary losses in detriment of the responsible business.
Conclusion:
Even though the CCPA was inspired by its predecessor, the European GDPR, one can’t assume that the same guidance and particularities would apply to two very different economic systems.
For this reason, in order for a business to be compliant with the world’s greatest national economies’ privacy regulations, it is a must to obtain in-depth knowledge and to adopt data privacy measures to conform with every major regulation, from the newest CCPA to the eventual future regulations that will probably arise as soon as the businesses think they have fully updated to the matters of privacy.
Sources:
https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
https://epic.org/privacy/drivers/
https://oag.ca.gov/privacy/ccpa
https://dataprivacymanager.net/ccpa-vs-gdpr/
https://iapp.org/resources/article/ccpa-and-gdpr-comparison-chart/
