The California Consumer Privacy Act is effective on January 1st, 2020. This means that, in a little less than two months, California will be the first state to introduce a clear-cut and precisely defined privacy law. Intended to enhance privacy rights and consumer protection for the residents of the state of California, the CCPA takes a broad view of what constitutes private data. Continue reading to learn everything about the CCPA and how it affects your business or personal information.
What is the CCPA?
Officially called AB-375, the California Consumer Privacy Act was drafted with a purpose to establish protection for a subset of US citizens against their personal information being harvested and sold without their knowledge. The bill was passed and signed into law on June 28th last year. Often dubbed as "California's GDPR", this California data privacy law promises to bring the much-needed changes when it comes to data security and consumer privacy protection. While the California information privacy act applies only to businesses that sell goods or services to California residents, its application outside the US could drastically speed up the worldwide spread of similar legislation.
Of course, since this California data security law is created for a different location than the GDPR, there are a couple of essential differences between the two. The main difference is the overall scope and territorial reach of each law and the definitions related to protected data. Taking a look at the more specific characteristics, another significant difference between the two laws is that the CCPA, in some cases, only considers information provided by the users, while GDPR always covers all personal data regardless of the source or whether the information was public. This makes GDPR a much broader law than the CCPA.
Which companies does the CCPA affect?
The California data protection law clearly defines which type of businesses it applies to. The law affects every company which does business in California, and the only way to opt-out of it is to go out of business. This act will be enforceable on every company that deals with Californian consumers and meets at least one of the three following CCPA requirements:
- Has annual gross revenue in excess of $25 million;
- Has a database of 50,000 or more users, households or devices;
- Derives more than half of its yearly revenue from selling users' data.
In addition to these three thresholds, California privacy policy requirements state that every organization is required to "implement and maintain reasonable security procedures and practices" to ensure the protection of user data. Any business which falls under one of these categories and fails to comply with the CCPA requirements could suffer the following sanctions and remedies:
- Fines up to $7,500 for each intentional violation, and up to $2,500 for each unintentional violation;
- Companies, associations, activists, and others can exercise their right to opt-out on behalf of California residents;
- Companies that suffer data theft or similar security breaches can be ordered to pay statutory damages or actual damages, whichever is greater.
With such regulation, even some big businesses could have trouble with the California online privacy protection act compliance legislation. Companies like Facebook and Google, whose entire business models rely on collecting personal information, could greatly suffer if just a fraction of their users start demanding to see and delete the information they've collected on them. Facebook, in particular, has faced severe backlash over the years, and it will be thought-provoking to see how the platform will deal with the upcoming legislation.
A simple way to prevent data breaches and resulting fines for non-compliance is to use Hideez Enterprise Solution. Our straightforward security features comply with the CCPA, and include phishing prevention, centralized credential provisioning and de-provisioning of ex-employees, and more. Our All-in-one Identity and Access Management Solution makes sure that only authorized users can access sensitive data. Minimize human factor without complicating everyday routine of your employees.
What data does the CCPA cover?
From what we've learned so far about the California privacy policy requirements, we can say that this upcoming regulation can be summed up in the definition "personal information that identifies or could be linked to California residents or households." To fully comprehend what this means, we also have to know what the term "personal information" covers. In the current form of the CCPA, this phrase includes:
- Individual identifiers like real name, address, social security number, driver's license, passport number, IP address, email address, or any similar unique identifier;
- Commercial information like records of services, products of personal property purchased, obtained, or considered;
- Online or Electronic Network Information including search history, browsing tendencies, and interaction with a web site, application, or add;
- Audio, visual, thermal or similar information;
- Biometric data, education or employment-related information;
- Geolocation data.
In line with the information above, it's important to remember that the CCPA covers every California resident. This means that the regulation provided in this act covers every person who is in the state of California for other than a temporary intention. More importantly, such broad phrasing of the term "personal information" also means that this legislation also covers California residents even when they are traveling in other US states.
What does the CCPA mean for security?
Although some data security companies have voiced their concern that the CCPA requirements will be too difficult to enforce, many businesses that operate in the state of California have already started implementing changes to their data policies. The fact of the matter is that the CCPA will undoubtedly improve the current landscape of data protection.
Consumer privacy statistics show that there is a growing concern among consumers regarding their online privacy and security. The CCPA will ensure that selling personal information laws that are currently in place are applied in a transparent manner, which will help to ease the consumers' privacy concerns. To put it in other words, any businesses that maintain or sell personal information will be required to disclose the information and provide the customers with the option to opt-out and have their personal data deleted from the company's database.
Several legislation amendments have already followed CCPA's passage. Although the final is yet to be enforced, this consumer privacy act will unquestionably change the way that companies look at user data.