CCPA (California Consumer Privacy Act)
Following a major consumer data scandal involving Facebook and Cambridge Analytica in 2018 several new privacy regulations were established. The General Data Protection Regulation or GDPR is among the most widely publicised. It ensures that companies are fined if they violate consumer data rights. Although the GDPR applies to some US companies doing business in the EU, it’s largely a European initiative. That’s why the California Consumer Privacy Act or CCPA was enacted in 2018 to ensure that US consumers could demand that companies in possession of their data would delete them if asked to. The new law is effective as of the 1st of January, 2020. But what is the CCPA? What are its major provisions? How does it differ from the GDPR? And what does it mean for UK companies doing business in the US?
CCPA – a definition
The CCPA is a consumer privacy act (AB 375) which enables California residents to request to see all the personal information a company serving in the state of California may hold on them. In addition, companies must disclose which third parties they have shared the data with. If the law is violated, consumers are able to sue a business for breach of regulation.
It was signed into law by Jerry Brown, the California Governor, in June 2018, and originally born from a ballot initiative that collected over 600,000 signatures. The final Act is widely considered to be preferable over a ballot initiative because it can be amended in the future. In contrast, US ballot measures – once initiated – cannot be easily amended.
The State of California Department of Justice defines the California Consumer Privacy Act 2020 as creating “new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.” The California Attorney General is responsible for seeking public opinion to amend CCPA regulations.
What does the CCPA define as “personal” information?
Definitions of what one considers to be “private” or “personal” can differ from company to company. Under the CCPA, personal information is defined as any data that could identify or describe or indirectly link to a person. Whilst name, email, date of birth and address are clear examples of personal data, the Act goes much further. For example, it includes commercial information such as any records of products that a consumer purchased or rented. Other categories of “personal” information protected under the Act include online activities such as a user’s browsing history, audio history, geolocation data or employment-related information. However, it does not cover information that is publicly available. You can view a full list of what constitutes “personal” information under the CCPA here.
The major provisions of the CCPA briefly explained
The Act has several major provisions that US and international businesses must adhere to. Among them, consumers can request to know which personal information a company holds on them. At the same time, companies must state what kind of information they collect as part of their privacy policy and what the purpose for collecting this information may be. Anyone could also request to know what their information is being used for and with whom it has been shared.
Consumers now have the right to opt out of businesses selling their information to others. If a consumer requests that their data be deleted, companies aren’t allowed to refuse their service with some exceptions. For example, a healthcare insurer wouldn’t be able to provide a service without collecting certain consumer data like date of birth or known health conditions.
The Act also stipulates that businesses must provide a website and a free-to-call phone number for consumers to make a request to have their data deleted. Any requests made to view their personal information by a consumer must be followed up on within 45 days after it was received. With the January start date of the Act, companies will need to verify records dating back 12 months.
Here’s an overview of some of the CCPA’s major stipulations:
- Consumers can ask to view the information a business has collected on them (including the type of data and format) and shared with any third parties dating back 12 months.
- Consumers can request their information to be deleted.
- Consumers may opt out of their data being sold.
- Consumers have a right to not be refused service, with some exceptions.
- Consumers have a right for their request to be answered within 45 days.
What type of companies have to comply with the California Consumer Privacy Act?
The Act applies to all for-profit companies that provide services or products to residents in the US state of California which:
- Earn over $25 million (around £19 million) in revenue each year, or
- Have collected personal data on more than 50,000 California residents, or
- Make 50% of their revenues from selling personal information of California residents
This means that a business doesn’t necessarily have to be based in California or even in the US to have to comply with the CCPA. Indeed, an international company that falls under the above will also need to adhere to the Act. Importantly then, it doesn’t matter whether a UK business has an office in the US, what matters is whether they sell services or products to California residents.
In reality, given California’s large population, many large companies are already serving California residents. Although businesses can install IP trackers to monitor whether they’re serving California customers, such costly technological additions may not be suitable for all businesses. It’s, therefore, more likely that businesses will update their privacy policies to comply with the Act for all their customers. As data laws keep changing to address privacy concerns by consumers, it’s expected that most US states will adopt more stringent regulations in the near future. This may have wide-reaching consequences for UK businesses.
Small companies which do not collect large amounts of data, non-profit organisations and sole traders who do not collect data or earn more than the threshold aren’t covered under the Act. There are some other companies which are exempt from the CCPA law, including insurance providers, agents and support organisations. That’s because the latter are already covered under the California Insurance Information and Privacy Protection Act. In the UK, insurance companies need to be GDPR-compliant. UK insurers who deal with California residents should consult the CCPA or a lawyer to confirm which regulations apply to them in the US.
Time frame – when will companies need to begin to comply with the Act?
The CCPA is effective as of the 1st of January, 2020. This means all relevant businesses will now need to comply with the regulations. However, because consumers can request data dating back 12 months, most businesses should have had data collection and management systems in place since the start of 2019.
Non-compliance: How is the Act enforced and what happens if a company doesn’t comply?
If a consumer complains that the Act has been violated, companies have 30 days to comply with the law. Where a business does not act swiftly or fails to comply, they may face fines up to $7,500 (around £5,760) per case. For a company that deals with thousands of consumer records intentional or unintentional non-compliance could become costly quickly.
What’s more, the bill, for the first time, grants consumers the right to sue a company – either individually or as a class. At the moment, it’s not known what statutory damages in the event of a class-action lawsuit could look like or what the upper threshold may be. It’s, therefore, advised that companies take the Act seriously and ensure they comply. However, companies can avoid fines and lawsuits as long as they respond to customers within the time frame of 30 days and make any requested amendments swiftly.
For unauthorised access and data breaches, for example, theft or negligence, the Act states that consumers can receive damages between $100 (£77) to $750 (£575) per customer and incident. All fines apply to US and international companies alike.
Because most UK businesses will have already updated their privacy policies to comply with the GDPR, they’re already on track to comply with much of the CCPA as some of the provisions are similar between the two. But how similar are the CCPA and the GDPR?
GDPR vs. CCPA: differences and similarities
The CCPA is often dubbed the “American GDPR”. That’s because, in essence, many of its provisions are similar to the European counterpart. However, the CCPA is seen as a slightly more expansive and arguably stricter law than the GDPR. One of the main differences between the CCPA and the GDPR is the opting-out arrangement. Whilst the GDPR requires companies to allow consumers to opt out of data processing, the CCPA only enables opting out of the sale of personal information. That means companies can still collect private data, but can’t sell it without consent. The key differences and similarities between the two are shown in the table below.
| Feature | CCPA | GDPR |
|---|---|---|
| Reach | Covers data from California residents only | Covers all personal data in the EU |
| Right to access | Consumers can demand to view a record of all their personal data a company has collected or shared | Consumers can demand to view a record of all their personal data a company has collected or shared |
| Time frame | Answers to requests must be given within 30 days | Answers to requests must be given within 30 days, but if a request is complex the deadline can be extended to 3 months |
| Right to correct | Not included | Consumers can request their data records to be updated where errors are found |
| Right to withdraw or opt-out | Consumers can only opt out of their personal data being sold | Consumers can withdraw consent for their data to be processed |
| Right to be informed | Companies must inform customers if and how they are collecting personal data | Companies must inform customers if and how they are collecting personal data |
| Right to be forgotten | Personal data can be requested to be forgotten, subject to certain conditions | Personal data can be requested to be forgotten, subject to certain conditions |
| Right to data portability | Companies must export (but not import) data in a user-friendly format | EU companies need to export and import data in a user-friendly format |
| Right to equal service | Required | Implied |
| Damages | Between $100 (£77) to $750 (£575) per customer per case | No threshold |
| Penalty charges | $2,500 (£1,920) for unintended and $7,500 (£5,760) for intended violations | 4% global annual revenues |
Sources: PWC and Information Commissioner’s Office
The impact of the CCPA and what it means for UK businesses
The CCPA has far-reaching consequences for many businesses in the US and abroad. “Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private,” said Xavier Becerra, the California Attorney General. As a consequence, companies may incur considerable costs to comply with the Act. They should also prepare for a large number of consumer requests to come in and the eventuality of fines and litigation. Companies that already comply with the GDPR will need to carefully examine whether they should make additional updates to their privacy policies. Over the next few years, there’ll likely be several updates to the CCPA and businesses will need to make sure they keep up with changing regulations.
UK companies should make no assumptions. Just because they comply with the GDPR doesn’t mean they are automatically covered under the CCPA. Although the laws are broadly similar, there are also many differences. For example, the CCPA includes much more extensive information on what constitutes personal information and UK companies need to ensure they track these. International companies are therefore advised to assess whether any compliance gaps exist and address them swiftly to avoid fines.
The California Consumer Privacy Act is seen as the beginning of a wave of privacy regulations sweeping the US. Experts predict that 2020 will be a key year for major updates to consumer personal data protection laws, especially in states like New York and Massachusetts, where the New York Privacy Act and the Act Relative to Consumer Data Privacy are already pending, respectively. UK business owners are advised to put measures into place that allow them to adapt quickly to new or changing personal data requirements.
Please note the legal disclaimer relating to this article.