On 1 January 2020, the California Consumer Privacy Act (CCPA) - a new data privacy and consumer protection law designed to give data subjects in California more control over their personal data and ensure that businesses are transparent with their data processing activities - comes into force.
UK businesses should have already taken steps to evaluate their compliance obligations and update cybersecurity and privacy policies accordingly. If not, now is the time to act.
Will this affect me?
The CCPA is designed to protect the rights of Californian consumers, but will apply to businesses regardless of their geographic location, if they meet the below criteria:
- they do business in California;
- they collect or tell others to collect California residents’ personal data;
and if any one of the following is true:
- their annual gross revenue is over $25,000,000;
- annually they buy, sell, receive or share the personal data of 50,000 or more California residents, households or devices; or
- they derive 50% or more of their annual revenues from selling California residents’ personal data.
CCPA vs GDPR
Businesses may be tempted to assume that the actions they’ve taken to ensure compliance with the GDPR will largely suffice for the CCPA. But while there is a degree of overlap between the CCPA and the GDPR, they do differ in some respects.
Both laws give data subjects control over their personal data (for example they give data subjects rights to access and erase their personal data) and require transparency about how personal data is being used, but the CCPA goes even further in its definition of personal data, to include household information.
The CCPA’s broad definition covers information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This could include, for example, account names, email addresses, internet activity (including browsing and search history) and commercial information such as records of property. It does not include, however, information that is publicly available. Some categories of personal data (such as personal data collected by a business from employees) are exempt from compliance with certain CCPA requirements for one year (until 1 January 2021).
Both laws also differ in terms of their privacy notice requirements and fines. The CCPA has a maximum fine of $7,500 (approximately £5,700), however this is the fine for every intentional violation and could amount to a hugely significant figure if thousands of data incidents were to occur. By comparison, the GDPR provides for fines up to 4% of worldwide turnover for serious violations.
What do I need to do?
If you’ve yet to take action, the immediate requirement will be to determine if your business has a CCPA compliance obligation and modify privacy policies and procedures accordingly. Although there is some overlap, your current GDPR compliance programme will likely be inadequate, yet businesses which have equipped themselves properly for the GDPR will have a head start in building their CCPA preparedness. A legal audit against your current program is likely to identify any compliance gaps that can be addressed.
The CCPA sets out several specific instructions for compliance, including the use of a “Do Not Sell My Personal Information” link on the website homepage to maximise the ease with which California residents can opt out of the sale of their personal data. Businesses are also required to be transparent about how they use personal data by informing data subjects of the categories of personal data to be collected and the purposes for which it will be used.
Although California’s Attorney General has confirmed that his office will not be enforcing the law until July 2020, it is possible that the office will nevertheless be able to enforce violations that occur earlier in the year. Businesses should therefore do everything in their power to be ready on 1 January 2020 and have in place the appropriate cybersecurity protections in order to minimise the risks of an inadvertent data breach.