The CCPA is important because California is the world’s largest fifth-largest economy and, as the home of Silicon Valley and companies like Google, Apple and Facebook, is arguably the epicenter of the internet economy. And it could affect many businesses that are totally unaware that they are subject to the new law.
Here are five things that companies need to know about the CCPA.
Please note that this article represents the views of the author solely, and is not intended to constitute legal advice.
The CCPA might apply to lots of businesses that aren’t based in California
The CCPA applies to for-profit companies doing business in California that have $25m or more in annual gross revenue, possess the personal information of 50,000 or more consumers, households, or devices, or earn more than half their revenue from selling consumers’ personal information.
What constitutes “doing business in California”? This isn’t defined in the text of the CCPA and no guidance has yet been provided, but under tax law, companies that don’t have a physical presence in the state have been found to meet this criteria based on their ties to California, such as repeated sales to customers in California in some cases.
If similar interpretations were applied to the CCPA, potentially thousands upon thousands of businesses, including ones not physically present in the state, could find themselves subject to the CCPA, just as many businesses not based in EU countries are still subject to the GDPR.
The “personal information” the CCPA aims to protect is broad
A primary function of the CCPA, much like the GDPR, is to prescribe rules companies need to follow that will help protect consumers’ “personal information.” The CCPA broadly defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Examples of “personal information” under the CCPA are names, aliases, email addresses, mailing addresses, IP addresses and unique identifiers. Under the CCPA, biometric, geolocation, purchase history, and network activity data, among other types of data many companies collect about their users and customers, is also considered “personal information”.
Publicly available information can even become “personal information” when it is “used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained”.
Companies subject to the CCPA will have substantial new obligations
Under the CCPA, consumers will have a number of new rights. These include the right to know what personal data is being collected about them and who, if anybody, it is being sold to. They will also have the right to access their personal data, reject the sale of their data and request deletion of their data.
Companies will be obligated to respect these rights and the CCPA prescribes a number of specific requirements, such as “Right to Say No to Sale of Personal Information” links on websites, toll-free phone numbers for data access requests, and disclosures of consumer rights in privacy policies.
Notably, the CCPA explicitly forbids companies from discriminating against consumers who exercise their rights under the Act. Discrimination includes “denying goods or services to the consumer” and “providing a different level or quality of goods or services to the consumer”, which suggests that businesses could have a difficult time using so-called forced consent, a controversial issue with the GDPR.
The penalties for non-compliance can be severe
As evidenced by the ICO’s recent £183m British Airways fine, GDPR penalties are no laughing matter and the same is true of the penalties possible under the CCPA.
The California Attorney General will have the authority to enforce the CCPA and intentional violations could result in fines of up to $7,500 per violation. Fines for non-intentional violations will be capped at a still potentially significant $2,500.
But the real stick in the CCPA comes in the form of a private right of action that would allow consumers to sue companies individually or as part of class actions if their personal information is disclosed as a result of a company’s failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Damages associated with such incidents would be no less than $100 and as much as $750 per consumer per incident, or actual damages, whichever is greater.
This is a big deal because under current law, a consumer generally has to prove actual damages to recover money. The ability of consumer plaintiffs to receive statuatory monetary damages under the CCPA even where actual damages cannot be proved creates a huge new risk for companies that makes “early preparation imperative” according to law firm DLA Piper.
The CCPA is not the GDPR
Despite their many similarities, there are substantial differences between the CCPA and GDPR. Law firm BakerHostetler has compiled a detailed comparison. For example, while the GDPR applies to individual data subjects, the CCPA also extends to information gathered at the level of households and devices. And the CCPA regulates different parties than the GDPR, with some parts even extending to third-parties and service providers.
One of the key implications of the differences between the CCPA and GDPR is that a company will not be compliant, or near-compliant, with the CCPA simply because it is compliant with the GDPR. While companies that went through the process of figuring out how to comply with the GDPR might be better prepared to go through a similar process for the CCPA, these are two different laws and companies are wise to treat them as such.
Econsultancy subscribers can read A marketer’s guide to the California Consumer Privacy Act, our in-depth briefing examining the significance of the CCPA, its differences from the GDPR, and how it will impact marketing.