Passed by the California State Legislature and signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, to give California residents more control over how businesses handle their personal information.
Under the CCPA, California residents have the following privacy rights regarding their personal information:
Since CCPA was signed into law, the California State Legislature has already approved additional amendments that cover additional exemptions and provide further clarification, including:
One of the key provisions introduced in the CPRA is the establishment of the California Privacy Protection Agency (CPPA) that will be responsible for auditing and enforcing CCPA. Unlike GDPR that included a governing authority, the original CCPA lacked a dedicated “watchdog” to enforce the law and an advocate to provide businesses and consumers with an educational venue for public awareness and understanding of rights and obligations. The establishment of the CPPA fills this previous gap.
CPRA also doubles CCPA’s 50,000 threshold to companies that buy, receive or sell personal information of more than 100,000 consumers or households. Additional modifications that help eliminate ambiguity, better define who must comply and provide greater protection, include:
While that may seem clear in theory, many businesses are still not entirely certain if they need to comply. First, it’s important to understand that your business does not need to be physically located in California, or even in the U.S. for that matter. Regardless of whether the processing of information takes place in California or not, you need to comply if you’re handling personal data of California residents and meet any of the thresholds. Along those lines, it’s also important to note that the annual gross revenue threshold of $25 million applies to ALL revenue, regardless of its source. In other words, even if only $3 million of your annual revenue comes from doing business with California residents, if your total revenue exceeds $25 million, you will still need to comply.
Considering that California is the most populous U.S. state with nearly 40 million residents and the fifth largest global economy, it is more likely than not that anyone conducting business at material scale in the U.S. needs to comply. Given the growth of the digital economy and ever-increasing e-commerce, CPRA/CCPA regulations are also set to impact more businesses than ever before. Smaller businesses that don’t currently meet the thresholds may eventually find themselves needing to comply when they take their business online and open the door to provide goods or services to California residents.
Buying, receiving or selling personal information of California residents can occur through a myriad of obvious transactions, but there also some not-so obvious means that may require you to comply. For example, regardless of the goods or services your business offers, it is likely that you also rely on third parties to help with data storage and processing, purchasing and fulfillment, and other everyday operations. If you provide personal information to a third party required to comply with CPRA/CCPA, it’s your responsibility to ensure that they comply. While large entities like Facebook make this easier by implementing features that limit the way user data is handled for California residents and new CCPArequired contract terms, it’s important to identify all third-party vendors and determine compliance. Comprehensive data mapping and discovery can go a long way helping you identify all the actors with whom your business shares information and where that information resides.
If your revenue is less than $25 million and you don’t exceed the threshold for the number of consumers or households, that doesn’t necessarily mean you are exempt—more than half your annual revenue may still come from selling personal information. Under CPRA/CCPA, the definition of “selling” is not confined to the classic sense of the word but rather broadly defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” This has caused quite a bit of confusion—even if you are not directly being paid for data, if personal information is provided as part of a sale, it is considered a sale. That essentially means that transferring information to third-party advertisers via cookies, which is a valuable consideration, is considered a sale.There are of course exemptions, including the disclosing of information to service providers when necessary to perform a specific business purpose. However, to know if you need to comply, it’s important to understand what constitutes a sale of personal information. You also need to know this information to effectively comply with any “opt outs.”
Penalties violating CCPA can cost businesses $2500 for each individual violation (i.e., per consumer), with higher fees for intentional violations. While you can avoid liability if you cure the noncompliance within 30 days, there are some types of non-compliance that may not be capable of a cure. For example, if a data breach has already occurred, there’s little you can do to fix it.
With the passing of the CPRA, the price of non-compliance has increased and the establishment of the CCPA is expected to result in greater enforcement. Most notably, CPRA triples the maximum penalty for an individual violation to $7500 for violations concerning minors.
While these fees seem minor, a business faced with one individual violation may likely have hundreds, thousands or even millions of violations—and all it takes is for one individual to determine and publicize the violation for the fees to stack up. And CPRA/CCPA has NO ceiling on the number of violations. An online retailer doing business with a million Californians could quickly find themselves faced with $2.5 billion in fines.
Just six months into 2020, more than 50 lawsuits invoked the CCPA—everything from a student data management software company that failed to safeguard student data, to a class-action lawsuit against Zoom for sharing millions of users’ personal information through third-party Facebook.