The California Data Privacy Law (CCPA)
The California Consumer Privacy Act of 2018 (CCPA) is the most recent California data privacy law aimed at protecting the rights of state residents. The newly established CCPA goes into effect on January 1, 2020, giving businesses just over a year from when it was signed to become compliant.
Data Privacy in California
The idea that information may be personal and private has long been a point of legal discussion in the United States. The electronic collection, processing and transmission of data and their related privacy concerns have only recently been taken into consideration.
As a hotbed for technology startups, California routinely leads the way when it comes to passing data-related legislation. In 2002 it was the first state to pass a security breach law, requiring written notification to consumers whose data had been exposed. Then in 2004 it passed the Online Privacy Protection Act; this required businesses to prominently post Privacy Policies on their websites that outline what data is collected and how consumers can review or request changes to this information.
Once again, the state takes center stage. This recent California data privacy law is the first in the States to recognize that people have rights with respect to how their data is used.
The Details
Components of the California Data Privacy Law
Given that it is a state law, its contents apply to the data of California residents only. Much like the EU’s GDPR, it outlines a series of rights people have with respect to their data. According to the California Consumer Privacy Act, residents have the right to:
- Know what data is being collected and how it will be used;
- Know if their data may be disclosed or sold, along with the right to say “no” to this;
- Access their personal information; and
- Request the removal of their data.
The law also states that, if someone exercises their rights, a business may not discriminate against the person by denying goods or services, charging a different price or providing a different level of service.
While the law generally follows the same definition of personally identifiable information as other privacy acts, it also applies to data which could trace back to one’s household and not strictly to the individual.
U.S. State Law,
Worldwide Influence
California’s data privacy law applies to anyone who collects or processes the data of California residents. This means that a business does not need to be located in California in order to fall under the scope of the law. For instance, a business could exist in the state of Massachusetts or even another country, but, if it provides products or services to someone in San Francisco, it is subject to CCPA.
CCPA Fines and Consequences
Companies need to be aware of two possible ramifications of not complying with the law. The first is that the California Attorney General has the authority to fine the business up to $7,500 per violation. While that may sound steep, businesses actually have 30 days in which to rectify the situation. If they do so, the fine may not be levied.
A second consequence is also possible; Individuals may file a claim against a business if their data was misused because the business did not provide reasonable security measures. Again, businesses have 30 days in which to fix the problem and provide written documentation that it will not happen again (called a cure period). In the event that they do not do so, damages of $100 – $750 per resident may be awarded.
What Does the California Data Privacy Law Mean for Businesses?
Of course, given the borderless nature of the law, businesses throughout the United States and around the world will need to spend time and resources examining their use of data, as well as building in the appropriate notifications and consent mechanisms. That’s no small task.
However, beyond the logistics of complying with the CCPA, it’s important to consider that California is only one of 50 states, and, of course, the United States is one of many countries worldwide. This means there is potential for businesses to be responsible for compliance with multiple data privacy laws at a time, each with its unique set of rules, fines and processes.
Eventually, it is expected that a United States federal law will be enacted that would supersede state-level laws, helping to ease this confusion. At this time, however, there is no such nationwide data privacy law, so businesses need to stay abreast of data privacy laws in each state and respond accordingly.