What is the California Consumer Privacy Act (CCPA)?
A look at the groundbreaking new data law that's often referred to as "America's GDPR"
The California Consumer Privacy Act is new legislation due to come into effect on January 1, 2020, designed to improve the rights and protections afforded to data subjects in the state.
The CCPA is considered to be one of the most progressive and strictest data protection laws in US history, mirroring many of the protections provided to EU residents under the General Data Protection Regulation (GDPR). In essence, it aims to improve how much control data subjects have over their data and force companies to be more transparent with how data is processed.
The bill also introduces tougher sanctions for companies either found to be non-compliant or that have fallen victim to a data breach, the fines for which are determined based on the number of users affected.
The CCPA bill was passed and signed into law on June 28, 2018, and has received a number of amendments since then. As of September 13, 2019, the bill is now beyond the deadline for any opportunities to halt its enactment, and therefore businesses will be required to make changes to the way they handle user data come January 2020.
Why was the California Consumer Privacy Act drafted?
The improvement of data protection rights has become an issue for many governments, digital rights groups and citizens across the world, with work having been done over the past decade to find a balance between robust data protections and carefully crafted rules to allow companies to still use that data for commercial gain.
However, the issue has been amplified in recent times, in no small part thanks to the discovery of some of the worst data breaches and abuses of data in history. Billions of customers have been affected by hacks on Yahoo, Equifax, First American Bank, and Marriott International, to name a few, all within the last six years. The Cambridge Analytica scandal also highlighted unprecedented levels of flippancy over user data, with Facebook practices allowing for the improper sharing of account data on millions of users to third-party companies without permission.
Given that the United States does not currently have a principal federal data protection regime in place, it has fallen to states to enact their own laws that seek to protect citizens from the worst of these abuses.
For California, this urgency produced the far tougher California Consumer Personal Information Disclosure and Sale Initiative, a bill initially put forward by advocacy groups as a way of improving data rights in the state, proposing that some companies be banned entirely from sharing or selling personal data. After discussions, however, the groups agreed to compromise by withdrawing the bill in favour of the more lenient, but more practicable CCPA.
Who does the CCPA apply to?
The CCPA gives new data rights to all Californian consumers defined as permanent residents of California.
Specifically, consumers have a right to know exactly what personal data is being collected about them by companies, and whether that data is then sold on or disclosed to third parties. Consumers also have the right to opt-out of the sale of their data, access the data that companies hold on them, and request this data be deleted.
In turn, companies that collect this data are legally required to facilitate these new data rights and are prohibited from discriminating against consumers that choose to exercise them.
Consumers are allowed up to two data access requests each year, although this is limited to only the previous 12 months of data collection and processing. However, there are no restrictions on data deletion requests or do not sell' requests.
The CCPA applies to any business entity, including non-profits and charities, that collects the personal data of permanent Californian residents, and does business in California. The business must also have either:
- Annual gross revenue of $25 million or higher;
- Processing activity that involves information on 50,000 or more consumers, households or device;
- More than half of revenue coming from the sale of consumer personal information
How is personal data defined under CCPA?
Personal information has a rather broad definition under the CCPA and can include anything related to the "characteristics and behaviours, personal and commercial, as well as inferences drawn from this information".
That means that any data that is likely to identify, relate to or describe an individual would be considered personal information. Name, the user's alias, address, email address, unique online identifier, IP address, account names, social security numbers, passport numbers, and driver's license all fall under this definition.
There are some specific categories listed in the statute, including biometric, location, financial, and household purchase data.
A person's signature, description of their physical characteristics, educational background, and employment history are also examples of data that could be related to a consumer, and therefore are restricted.
It's important to note that the CCPA does not legislate against the collection, processing, retention, or sale of consumer data that is anonymous or has been de-identified. However, a business must be able to demonstrate to a high threshold that the data is truly anonymous.
What does the CCPA require of businesses?
The act introduces a number of requirements that force businesses to make their data processing activities more transparent.
Signposting of data rights
Businesses are also required to provide a "Do Not Sell My Personal Information" link on their websites for any consumers that wish to opt-out of having their data sold to third parties. There should also be clear signposting reminding the consumer of their data rights, and ways for the consumer to easily contact the company directly, free of charge, about exercising their data rights.
For any specific consumer requests (the equivalent of a GDPR subject access request), businesses are required to provide details on how their data is being processed, the purpose of that processing, the categories of data involved, and the anticipated length of the processing activity. Businesses must also provide further notice if they wish to acquire further personal information or use existing information for a different purpose.
Third parties are permitted to resell any personal information acquired from another business, however, they must provide explicit notice to consumers that this is their intention, and provide those consumers with an opportunity to opt-out before the sale occurs.
The CCPA also bans the sale of personal information related to a child or consumer under 16 years of age without consent to do so. This consent can be provided directly by the child if they are between the ages of 13 and 16. For those under 13, parental consent must be given.
Execution of data requests
In order to facilitate the rights of citizens, including access and deletion, businesses are required to have robust data processes in place. This is not only because there needs to be a smooth transfer of data between company and consumer, but also because any additional costs associated with this data retrieval cannot be passed on to the consumer and must instead be absorbed by the company.
Businesses are required to adhere to the demands of consumers as part of the execution of data rights, including providing access to data and any additional information associated with that data, such as information on the third parties that the data is shared with.
This information must be provided in a format that is free of charge (unless the request is excessive), can be accessed by the consumer, and can support being shared to other entities without hindrance. Businesses are also required to delete data when instructed by the consumer, and to ensure third parties also carry out data deletion where applicable.
Businesses are required to respond to a request within 45 days of receiving a notification. Consumers are restricted to two data access requests per year, and can only request data from the past 12 months, however, there are no such restrictions on data deletion requests.
Interestingly, the CCPA also specifically prohibits businesses from discriminating against consumers that have chosen to exercise their data rights.
What sanctions are possible under the CCPA?
The CCPA not only overhauls consumer data protections but also introduces far tougher and potentially crippling fines for data misuse.
The Californian Attorney General has the power to sanction companies found to be in breach of the CCPA up to $2,500 per violation, or up to $7,500 if it's clear the violation was intentional. Any business that falls victim to data theft can also be forced by a class-action lawsuit to pay statutory damages between $100 and $750 per consumer affected.
However, the law also states that businesses have 30 days to rectify any violations, if applicable.
Amendments to the CCPA
A number of final amendments were put forward ahead of September 13, 2019 deadline, five of which were passed and are now awaiting signature by the Governor of California. The following are the most substantive changes that the five amendments will create:
Bill 25: Employment information
- This bill exempts personal information collected by businesses in the context of employment, such as data gathered as part of an application or as part of their role in that business until January 1, 2021. Also exempt from the CCPA is data collected in order to process employment benefits.
- This one year grace period is effectively there to give the state time to enact a further privacy bill specific to employment.
Bill 874: Publicly available personal information.
- This narrows what is defined as personal information' and expands the scope of publicly available information'.
Bill 1146: Vehicle information
- Changes the scope of the opt-out' right by allowing consumer data to be shared between new vehicle dealers and the manufacturer if that data sharing is strictly only for the purpose of vehicle repairs under a warranty.
- A new clause, lasting for just one year, exempts personal data collected as part of a business-to-business contract, or through B2B communications with a consumer, from the majority of the CCPA's rules.
- Businesses are now also permitted to perform appropriate authentication steps in the context of consumer data requests and are also allowed to require consumers to submit requests through their existing accounts.
Notable rejected amendments
Disclosure of facial recognition use
- If enacted, this bill would have forced companies to publicly disclose their use of facial recognition technology. As it stands, businesses are not required to do so.
Successful digital transformations are future ready - now
Research findings identify key ingredients to complete your transformation journeyDownload now
Cyber security for accountants
3 ways to protect yourself and your clients onlineDownload now
The future of database administrators in the era of the autonomous database
Autonomous databases are here. So who needs database administrators anymore?Download now
The IT expert’s guide to AI and content management
Your guide to the biggest opportunities for IT teams when it comes to AI and content managementDownload now