What is the California Consumer Privacy Act (CCPA)?
We examine the groundbreaking new data law that's often referred to as "America's GDPR"
The California Consumer Privacy Act (CCPA) is a law that was designed to improve the protections and rights afforded to data subjects in the state. It is now officially being enforced after coming into effect on 1 January 2020.
The CCPA is seen to be one of the strictest and progressive data protection laws in the history of the US. It mirrors many of the protections given to EU residents through the General Data Protection Regulation (GDPR) as it looks to improve the amount of control data subjects have over their data and make companies more transparent with how that data is processed.
Furthermore, the bill introduces stricter sanctions for organisations that are found to have fallen victim to a data breach or to be non-compliant, with fines being based on the number of users affected.
The CCPA bill was passed and signed into law on 28 June 2018 and has undergone a variety of amendments since then. After September 2019, the legislation moved past the deadline for any opportunities to prevent its enactment, and organisations were required to bring about changes in the way they handled user data, starting in January 2020.
Even though some business groups asked for a delay because of the coronavirus pandemic, enforcement of the bill began on 1 July 2020. Due to the pandemic, companies argued that they were suffering from limited resources and budgets, with new research highlighting that 56% of data privacy professionals expected an increase in CCPA rights requests as a result of COVID-19. As of April 2020, the same research showed that 51% of companies received more than 10 requests a week, while 20% received more than 100 requests a week.
With these requests ignored, California’s Attorney General will be able to take direct action against businesses that violate the privacy protection requirements of the law. Until now, enforcement was limited to civil actions brought by consumers against violators.
Why was the CCPA drafted?
The improvement of data protection rights has become an issue for many governments, digital rights groups and citizens across the world, with work having been done over the past decade to find a balance between robust data protections and carefully crafted rules to allow companies to still use that data for commercial gain.
From B2B to D2C online sales
Create a direct-to-consumer web store with the potential to transform your businessDownload now
However, the issue has been amplified in recent times, in no small part thanks to the discovery of some of the worst data breaches and abuses of data in history. Billions of customers have been affected by hacks on Yahoo, Equifax, First American Bank, and Marriott International, to name a few, all within the last six years. The Cambridge Analytica scandal also highlighted unprecedented levels of flippancy over user data, with Facebook practices allowing for the improper sharing of account data on millions of users to third-party companies without permission.
Given that the United States does not currently have a principal federal data protection regime in place, it has fallen to states to enact their own laws that seek to protect citizens from the worst of these abuses.
For California, this urgency produced the far tougher California Consumer Personal Information Disclosure and Sale Initiative, a bill initially put forward by advocacy groups as a way of improving data rights in the state, proposing that some companies be banned entirely from sharing or selling personal data. After discussions, however, the groups agreed to compromise by withdrawing the bill in favour of the more lenient, but more practicable CCPA.
Who does the CCPA apply to?
The CCPA gives new data rights to all Californian consumers defined as permanent residents of California.
Specifically, consumers have a right to know exactly what personal data is being collected about them by companies, and whether that data is then sold on or disclosed to third parties. Consumers also have the right to opt out of the sale of their data, access the data that companies hold on them, and request this data be deleted.
In turn, companies that collect this data are legally required to facilitate these new data rights and are prohibited from discriminating against consumers that choose to exercise them.
Consumers are allowed up to two data access requests each year, although this is limited to only the previous 12 months of data collection and processing. However, there are no restrictions on data deletion requests or do not sell' requests.
The CCPA applies to any business entity, including non-profits and charities, that collects the personal data of permanent Californian residents, and does business in California. The business must also have either:
- Annual gross revenue of $25 million or higher;
- Processing activity that involves information on 50,000 or more consumers, households or device;
- More than half of revenue coming from the sale of consumer personal information
How is personal data defined under CCPA?
Personal information has a rather broad definition under the CCPA and can include anything related to the "characteristics and behaviours, personal and commercial, as well as inferences drawn from this information".
That means that any data that is likely to identify, relate to or describe an individual would be considered personal information. Name, the user's alias, address, email address, unique online identifier, IP address, account names, social security numbers, passport numbers, and driver's license all fall under this definition.
There are some specific categories listed in the statute, including biometric, location, financial, and household purchase data.
A person's signature, description of their physical characteristics, educational background, and employment history are also examples of data that could be related to a consumer, and therefore are restricted.
It's important to note that the CCPA does not legislate against the collection, processing, retention, or sale of consumer data that is anonymous or has been de-identified. However, a business must be able to demonstrate to a high threshold that the data is truly anonymous.
What does the CCPA require of businesses?
The act introduces a number of requirements that force businesses to make their data processing activities more transparent.
Signposting of data rights
Businesses are also required to provide a "Do Not Sell My Personal Information" link on their websites for any consumers that wish to opt-out of having their data sold to third parties. There should also be clear signposting reminding the consumer of their data rights, and ways for the consumer to easily contact the company directly, free of charge, about exercising their data rights.
For any specific consumer requests (the equivalent of a GDPR subject access request), businesses are required to provide details on how their data is being processed, the purpose of that processing, the categories of data involved, and the anticipated length of the processing activity. Businesses must also provide further notice if they wish to acquire further personal information or use existing information for a different purpose.
Third parties are permitted to resell any personal information acquired from another business, however, they must provide explicit notice to consumers that this is their intention, and provide those consumers with an opportunity to opt-out before the sale occurs.
The CCPA also bans the sale of personal information related to a child or consumer under 16 years of age without consent to do so. This consent can be provided directly by the child if they are between the ages of 13 and 16. For those under 13, parental consent must be given.
Execution of data requests
In order to facilitate the rights of citizens, including access and deletion, businesses are required to have robust data processes in place. This is not only because there needs to be a smooth transfer of data between company and consumer, but also because any additional costs associated with this data retrieval cannot be passed on to the consumer and must instead be absorbed by the company.
Businesses are required to adhere to the demands of consumers as part of the execution of data rights, including providing access to data and any additional information associated with that data, such as information on the third parties that the data is shared with.
This information must be provided in a format that is free of charge (unless the request is excessive), can be accessed by the consumer, and can support being shared to other entities without hindrance. Businesses are also required to delete data when instructed by the consumer, and to ensure third parties also carry out data deletion where applicable.
Businesses are required to respond to a request within 45 days of receiving a notification. Consumers are restricted to two data access requests per year, and can only request data from the past 12 months, however, there are no such restrictions on data deletion requests.
Interestingly, the CCPA also specifically prohibits businesses from discriminating against consumers that have chosen to exercise their data rights.
What sanctions are possible under the CCPA?
The CCPA not only overhauls consumer data protections but also introduces far tougher and potentially crippling fines for data misuse.
The Californian Attorney General has the power to sanction companies found to be in breach of the CCPA up to $2,500 per violation, or up to $7,500 if it's clear the violation was intentional. Any business that falls victim to data theft can also be forced by a class-action lawsuit to pay statutory damages between $100 and $750 per consumer affected.
However, the law also states that businesses have 30 days to rectify any violations, if applicable.
Amendments to the CCPA
A number of final amendments were put forward ahead of September 13, 2019 deadline, five of which were passed and are now awaiting signature by the Governor of California. The following are the most substantive changes that the five amendments will create:
Bill 25: Employment information
- This bill exempts personal information collected by businesses in the context of employment, such as data gathered as part of an application or as part of their role in that business until January 1, 2021. Also exempt from the CCPA is data collected in order to process employment benefits.
- This one year grace period is effectively there to give the state time to enact a further privacy bill specific to employment.
Bill 874: Publicly available personal information.
- This narrows what is defined as personal information' and expands the scope of publicly available information'.
Bill 1146: Vehicle information
- Changes the scope of the opt-out' right by allowing consumer data to be shared between new vehicle dealers and the manufacturer if that data sharing is strictly only for the purpose of vehicle repairs under a warranty.
- A new clause, lasting for just one year, exempts personal data collected as part of a business-to-business contract, or through B2B communications with a consumer, from the majority of the CCPA's rules.
- Businesses are now also permitted to perform appropriate authentication steps in the context of consumer data requests and are also allowed to require consumers to submit requests through their existing accounts.
Notable rejected amendments
Disclosure of facial recognition use
- If enacted, this bill would have forced companies to publicly disclose their use of facial recognition technology. As it stands, businesses are not required to do so.
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
Powering through to innovation
IT agility drive digital transformationFree Download