On June 28th, 2018, California enacted the California Consumer Privacy Act (CCPA). It will go into effect on January 1, 2020. Guidelines must be followed for any company who wishes to collect data on California residents. Some of the law may be adapted before enactment.
While many states are working to create their own data protection acts, CCPA is probably the toughest law that any state has enacted. You can expect other states and possibly the federal government to follow this initiative.
Many US companies who were lukewarm about implementing GDPR standards will now be forced to come into compliance with CCPA since most of those companies collect data from California residents.
While CCPA is very similar to GDPR, it has some additional requirements that companies need to be aware of.
Personally Identifiable Information (PII Data)
GDPR has a well defined list of what is included in PII Data:
- Identification Number
- Email Address
- Online User Information
- Social Media Posts
- Physical, Physiological or Genetic Information
- Medical Information
- Financial Information
- IP Address
CCPA includes any information that identifies a “household” as protected information.
CCPA also includes:
- Physical characteristics
- Phone Number
- Employment / Employment History
- Personal Property / Purchasing History
- Biometric Information
- Geolocation Data
CCPA also includes any inferences drawn about a consumer reflecting:
- Consumer preferences
- Psychological trends
Data and Metadata
While GDPR talks about data and what needs to be disclosed to individuals, CCPA explicitly states that a consumer has the right to be informed about:
- Categories of their personal data
- Categories of the sources of their data
- Categories of third parties that a business shares data with
There is an emphasis on what those categories are, how they are defined and how data is categorized.
CCPA also requires disclosure (via privacy policies) to include any information that has been collected, sold or otherwise disclosed over the last 12 months.
As part of the CCPA, businesses have to provide a clear and conspicuous link on their homepage titled – “Do Not Sell My Personal Information” which will allow consumers to restrict the sales of their information.
GDPR penalties can reach the greater of 20M Euro or 4% of worldwide revenue. CCPA has penalties of $7500 for each intentional violation.
Additionally, CCPA provides that in the event of a data breach a business may have to compensate the consumer from $100 to $750 per record breached.
Data Protection Officers
GDPR states that you must have a Data Protection Officer identified for an organization. CCPA does not require this entity in an organization.
Right to be forgotten
While both regulations have clauses for consumers who wish for their information to be forgotten, they have slightly different stipulations on when information is retained.
GDPR states that obligations do not apply where the processing:
- Is necessary for exercising the right of freedom of expression and information
- For compliance with EU or EU Member State Law
- For a task in the public interest or in the exercise of an official authority of the controller
- In the public interest in public health
- For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- For the establishment, exercise or defense of legal claims
CCPA states that deletions requests do not apply to information necessary for:
- Completing a transaction for which the personal information was collected, provide a good or service requested by the consumer or otherwise perform a contract between the business and the consumer
- Detecting security incidents
- Protecting against malicious, deceptive, fraudulent or illegal activity (or prosecute those responsible)
- Debugging to identify and repair functionality errors
- Exercising or ensuring the right of another to exercise free speech or another legal right
- Complying with the California Electronic Communications Privacy Act, which compels the production of or access to electronic communication information or electronic device information with a search warrant
- Engaging in research in the public interest (if the consumer has provided informed consent)
- Enabling solely internal uses aligned with the consumer’s expectations given their relationship with the business
- Complying with a legal obligation
- Using the information internally in a lawful manner compatible with the context in which the consumer provided it
As with all regulations, you should engage your legal team to ensure that your business is in compliance with the regulations that are applicable to you. This is a summary for your convenience and does not constitute any legal advice.