The digital world was shaken up on June 28, 2018 when the California Consumer Privacy Act of 2018 (CCPA) was passed by the state legislature, introducing the strictest data privacy and digital consumer rights law within US borders.
Following in the footsteps of the General Data Protection Regulation (GDPR), the CCPA brings the data privacy efforts forged by the EU into US legislation, setting the stage for a new era in American digital regulation.
But what exactly is the CCPA? Why has it been deemed the “California GDPR”? And what does it mean for your business?
1. California Consumer Privacy Act of 2018 (CCPA) Summary
By holding businesses accountable for data protection through strict guidelines and threatening consequences, the new California privacy act is setting the foundation for US data privacy in 2020.
What is CCPA?
The California Consumer Privacy Act of 2018 (CCPA) is a data privacy law passed by the state of California on June 28, 2018. It outlines new standards for data collection, new consequences for businesses that fail to protect user data, and new rights that California consumers can exercise over their data.
When is the California Consumer Privacy Act effective date?
The act is set to take effect on January 1, 2020.
Due to the California legislative process, measures signed by the Governor are subject to edits before the effective date. Changes to the text can be introduced up until January 1, 2020, if they are unanimously agreed upon by the Senate.
This means that up until the first of the year, the official language of the CCPA may change.
Who needs to worry about CCPA compliance?
According to section 9 (SEC. 9. 1798.140) of the bill, “businesses” that collect “consumer” data are subject to comply with the CCPA. But how does the law define “business” and “consumer”?
Consumer — Under the CCPA, a “consumer” is defined as a California resident.
Business — The CCPA defines a “business” as a for-profit entity that collects “consumer” data and meets at least one of the following thresholds:
- Annual gross revenue over $25 million
- Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes
- Derives 50% or more of its annual revenue from selling consumer personal information.
It’s important to note that the CCPA applies to all businesses, as defined above, that collect data from California residents — regardless of the headquarters of the business, itself.
The CCPA does not apply to nonprofits and California state and local governmental entities.
Given the breadth of the CCPA’s definition of business and consumer, companies across the US that collect user data and deploy cookies have a high chance of being subject to comply with the CCPA.
2. The “California GDPR”
Shortly before the CCPA was signed into law, the General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The GDPR — with its extensive guidelines for handling user data and its worldwide reach — redefined data privacy regulation.
The following month, the California GDPR was passed, and the US made its first effort to follow in the footsteps of the EU.
The CCPA has earned names like “California GDPR” and “GDPR Lite” because of its similarities to the GDPR. Both laws seek to:
- Grant users rights over their data through access, transfer, editing, and deletion requests
- Give consumers the ability to opt out of certain data-processing practices
- Establish greater consequences for businesses that fail to adequately protect data
- Shift accountability for data protection onto businesses that collect and handle user information
While the CCPA is notably lighter than its European counterpart, the consumer rights law introduces the goals of the GDPR to the US. See our CCPA vs GDPR infographic for more details on the differences between these laws.
Companies in the US that target customers in the EU must still comply with the GDPR. Check out our GDPR overview for a clear guide to the concepts that shape this complex privacy law.
3. CCPA Compliance — How to Meet CCPA Requirements
Hearing that the CCPA is California’s GDPR may send some business owners into panic. Fortunately for those subject to comply, CCPA guidelines are lighter, clearer, and easier to adopt than the lengthy requirements of the GDPR.
The CCPA primarily addresses four areas: access, user control, protection, and non-discrimination.
According to the CCPA text, Californians are now entitled to the following rights:
- To know what information is being collected about them
- To know if their personal information is sold or disclosed, and to whom
- To say ‘no’ to the sale of personal information
- To access their personal information
- To equal service and price, even if they exercise their privacy rights
But what exactly do these rights mean for businesses who collect, store, share, and use the information of California citizens?
Let’s break down each of these rights and how you, as a business owner, can comply:
The California privacy act aims to give users greater access to the information that is collected from them, and know how that information is treated and shared — bringing forth a culture of transparency around consumer data.
Under the CCPA, users have the right to request that businesses disclose to them the following:
- What information has been collected
- The sources from which that data was collected
- The business purposes for collection
- Whether that information is sold, and for what business purpose
- The third-party recipients of the data
You, on behalf of your business, need to be able and willing to divulge the above information to your users upon “verifiable request.” The information you relay should cover the last 12 months of data collection, sharing, use, and sale, as it applies to that consumer’s personal information.
According to the bill text, a “verifiable consumer request” is a request made by a consumer, a consumer on behalf of a minor, or a person legally authorized to act on behalf of a consumer, that addresses data verifiably collected from or about that consumer.
To field these requests, many websites choose to offer users a contact form that can be filled out with the details of the data request.
If you receive such a request, make sure to present the information to the user within 45 days, as per the guidelines of the CCPA.
Furthermore, any California consumer has the right to make such requests twice over the course of 12 months.
In this age of increasingly severe techlash, new privacy laws — from the GDPR to the CCPA — notably serve to give users more control over their data. From making data handling requests, to having the ability to opt out of data sale, users are given rights over their personal information that have never before been established on American soil.
Let’s dive into what you need to do to uphold these new rights and controls.
Honor consumers’ data requests
Not only do you need to honor a user’s request to access information about the data collected from them, but you also need to honor requests to delete that data entirely.
A request form can satisfy both the access and deletion aspects of user data management. Making such a form, link, or page available on your site will allow users to exercise the rights they have over their data — and keep you off the Attorney General’s radar.
Allow users to opt out of the sale of their data
According to Section 1798.120 (a) of the California Consumer Privacy Act official text:
A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
This link should take the user to a page that allows them to opt out of the sale of their personal information.
Implement data sale opt-in for consumers under 16 years old
While most users are granted the right to opt out, as detailed above, those under the age of 16 are explicitly given the “right to opt in.”
Section 1798.120 (d) states:
A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, […], has affirmatively authorized the sale of the consumer’s personal information
While the right to opt in applies broadly to users under the age of 16, keep in mind that to lawfully sell the data of users under the age of 13, the opt-in to data sale must be granted by a parent or guardian. See our opt in opt out guide for more information.
As we cover below, in the penalties section, consumers now have the right to sue over a loss of privacy resulting from a data breach.
Keeping consumer data safe and secure largely comes down to caution and organization.
Data is a precious commodity, and the damages your business can face for failing to keep it safe are loftier than ever.
Make an effort to audit your data, evaluate the procedures with which you handle it, and adjust your strategies accordingly to maximize protection. Now more than ever, it’s your responsibility — as a business — to protect your users’ data.
GDPR data mapping is quickly becoming a staple in the appropriate handling of consumer data, for both data safety and legal compliance.
The CCPA text states:
A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the title
But what exactly constitutes discriminatory practices against users who choose to opt out?
According to the CCPA, such actions include, but are not limited to:
- Denying goods or services
- Charging differential prices (including through the use of discounts, penalties, or price benefits)
- Offering a different quality of goods or services to those who exercise their rights than those who do not
- Suggesting that the consumer will receive differential prices or qualities in the event that they exercise their rights
The act does present a caveat to the above, noting that a business can, in fact, offer different prices or qualities of goods and services “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
While this allows businesses some wiggle room in how they may incentivize users to relinquish control of their data, we recommend proceeding with caution in this undertaking, given the high risk of consumer backlash.
4. CCPA Amendments
Due to the circumstances surrounding the passing of the bill, the text is subject to change up until its 2020 institution date. Privacy advocates and tech giants remain locked in head-to-head battle over clauses outlined in the California privacy law.
While some groups are fighting for stricter requirements and more expansive consumer rights, others are working to produce loopholes in the law.
All of the following amendments are currently pending (have not yet been voted into law), but have been voted on by the Assembly’s Committee on Privacy and Consumer Protection to move to the next vote.
Here are some of the most notable CCPA amendments so far that you need to know:
Assembly Bill 25 (AB 25)
AB 25 proposes to modify the definition of a “consumer” under the CCPA. While the current definition extends to all California residents, AB 25 proposes to exclude Californians from the “consumer” designation in certain employment scenarios.
The bill states:
“Consumer” does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, an agent on behalf of, the business
In other words, the rights of consumers under the CCPA do not apply to data collected within an employer–employee context.
Assembly Bill 846 (AB 846)
AB 846 proposes revisions to the non-discrimination statute of the CCPA. While this statute currently prevents companies from offering users discriminatory prices or products based on their data preferences, the bill seeks to redefine when this rule is applicable.
The three exceptions to this statute as proposed by AB 846 are:
- Users are voluntarily members of a loyalty and/or rewards program that requires their personal information, and offers exclusive membership deals, prices, and/or products.
- The value of the user’s personal information reasonably relates to the value or price of the product.
- Collection of the user’s data is required for or reasonably related to the functionality of the product on offer.
Assembly Bill 873 (AB 873)
Like the other bills discussed, AB 873 has been approved to move forward to another vote. The proposed CCPA amendment specifies the definition of “deidentified information” as:
information that does not reasonably identify or link, directly or indirectly, to a particular consumer
Assembly Bill 981 (AB 981)
AB 981 proposes to exempt insurance institutions already subject to comply with Insurance Information and Privacy Protection Act (IIPPA) from CCPA compliance.
However, this bill provides that certain CCPA requirements will be added to IIPPA, ensuring that insurance institutions are held to the same privacy-protection standards as other businesses.
5. CCPA Penalties
Given that the act is a piece of state legislation, enforcement ultimately resides with the California Attorney General’s office.
As for the penalties that non-compliant businesses face, there are potential fines of $750 per person, per violation.
While this number immediately reads as much less than the multi-million-dollar fines threatened by the GDPR, large-scale data breaches or audience-wide data handling violations could easily add up to a detrimental chunk of change for companies to fork over.
For example, a business with just 1,300 consumers whose data is breached is subject to nearly a million-dollar fine.
Furthermore, the act allows for California consumers to file lawsuits that aren’t based on an evidentiary loss of money or property, but rather, on claims of loss of privacy.
Traditionally, lawsuits are founded on proof of damages. This not being the case under the CCPA has, in itself, sparked contention and concern from data-reliant companies.
Curious about privacy laws in other US states? Reference our privacy laws in the US guide to learn the privacy requirements for each state.
While the official language of the act when it comes into effect in 2020 will likely look different to how it does today, the core concepts of the bill — offering users greater access to, control over, and protection of their data — will surely remain intact.
This new measure, compounded with the data rights and privacy efforts ushered in by the GDPR, are substantially changing the way businesses operate online.
Now is the time to put compliance measures in place, and be vigilant in how you collect, use, sell, and share consumer data — or face the consequences.