California’s online data protection law, the first U.S. law of its kind to protect online data privacy, will begin to be enforced on July 1, 2020. The California Consumer Privacy Act (CCPA) is a consumer protection law that allows California residents to have knowledge and control over what data about them is being collected and sold. The CCPA will, in many cases, require companies to update their privacy policies and provide a mechanism to let consumers opt-out of the sale or disclosure of their personal data. Failure to comply can result in monetary penalties.
The CCPA requires compliance from for-profit companies that collect personal data and meet one of three thresholds: (1) the company has annual gross revenues in excess of $25 million; (2) the company buys, receives, or sells the personal information of 50,000 or more consumers or households; or (3) the company earns more than half of its annual revenue from selling consumers’ personal information. However, some types of for-profit companies including health providers, insurance companies, certain financial companies, and credit reporting agencies are excluded from the CCPA as they are already complying with personal data rules per industry specific laws.
The CCPA protects “personal data,” which is broadly defined and includes almost anything about a person. Specifically, “personal data” is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”
The CCPA requires complying companies to “implement and maintain reasonable security procedures and practices” in protecting personal data. Notifying consumers of these procedures and practices can include displaying a pop-up window to make visitors aware of the company’s security practices and privacy policies that comply with the CCPA. How a company implements and maintains reasonable security procedures and practices is not explicitly defined under the CCPA and it is up to the companies themselves to determine what would be effective for complying with the CCPA. Companies not only have to implement security procedures and practices; they also need to maintain these procedures and practices to ensure they are effectively protecting personal data.
There are steps a company can take to ensure they are implementing and maintaining reasonable security procedures and practices per the CCPA. Initially, companies should identify and classify all the data that is being collected by consumers and determine where that information is located. Once the data is located, companies should check who has permission to access this data and take steps accordingly to limit access to only those teams or individuals that need access to such data. Then, companies should create a program that monitors the data and automatically deletes or archives stale data that is no longer necessary to keep. Finally, companies should routinely review the data it collects, who has access to it, determine what is actually being done with that data, and whether the data is at risk for security threats, and make adjustments accordingly. Companies should routinely check on what data is being collected and whether the company actually needs to collect such data as part of their business.
The CCPA draws comparisons to the E.U.’s General Data Protection Regulation (GDPR). The GDPR is binding on the E.U.’s 27 member states and controls how websites, companies, and organizations can handle personal data. Like the CCPA, the GDPR has a very broad definition of “personal data” which includes “any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier.”
One of the differences between the GDPR and the CCPA, however, is that the GDPR considers that data private as a default and requires a person to then decide to opt-out of the default privacy features when it visits a complying website. Unlike the CCPA, the GDPR does not require compliance based on size, profit status, or public/private entities; all companies that perform data processing activities must comply. In contrast, the CCPA is more focused on providing transparency as to how personal data is being used and collected so a consumer can decide if they will let that continue.
Both the CCPA and GDPR have penalties for non-compliance. Under the GDPR, penalties can be as high as 4% of a company’s global annual turnover or €20 million, whichever is higher. The CCPA imposes lower monetary penalties, with $2,500 being the maximum per unintentional violation and intentional violations being capped at $7,500. A violator will have 30 days to cure the violation after receiving notice. Under the CCPA, violations and non-compliance with the California law will be issued through civil actions brought by the Attorney General of California.
Even though the CCPA is smaller in scope as to what businesses it applies to than the GDPR, there are questions that remain as to which companies would have to comply. First, a company has to be “for-profit,” which is the most straight forward of the compliance criteria. However, the threshold related to $25 million annual gross revenues can be problematic. It is possible that a California based company’s gross revenue could not result from any sales in California, but the company would still have to comply. Because California is one of the largest economies in the world, this law will have far reaching impact on companies worldwide.