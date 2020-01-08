California rang in the new year with a law called the California Consumer Privacy Act (CCPA) that is the first of its kind in the country. Similar to the European Union’s General Data Protection Regulation (GDPR), CCPA takes a big step in protecting the rights of consumers as it relates to how their data is collected and used online. Further, the law spells out the obligations for affected businesses to confirm to the law.
The new law is not just for California-based businesses. In fact, it covers any company that does business in the state and collects information on California residents. But there are certain thresholds that must be met. If one or more of the following criteria are true, then the law applies:
- The business generates annual gross revenue in excess of $25 million
- The business buys, sells or shares the personal information of more than 50,000 California residents, households or devices each year
- The business gets at least half of its annual revenue from selling the personal information of California residents. The law may also provide an expansion for our own consumer data privacy laws here in Utah.
Like with the EU’s GDPR, we may see companies apply the new requirements to all of their users because it’s easier for a company to make a sitewide change affecting all customers, rather than establish a different set of rules for just one state’s residents. Microsoft and Mozilla, the company behind the Firefox browser, have already said they’re not limiting the new rights to users in California.
As a consumer, the CCPA addresses a number of basic data privacy rights who now have the right to know what personal information is being collected about them, to ask companies not to sell that data and to request the data be deleted. In contrast to other existing legislation, California states the data can come from any source, including the internet, databases and paper forms. As it is defined, data covers just about everything — your browsing history, race, marital status biometric data and location information, both physical location and IP address. But Californians must make the request to learn what data is being collected and how it is being used, and then the company must provide the information within 45 days for free. Note the company must reveal only the types of businesses it is sharing data with, not the name of the third party itself.
Companies that fall under the law must add a “Do Not Sell My Info” link to both websites and apps. Consumers are protected from being penalized if they choose this option. CCPA states that users who request that a company not sell their data cannot be barred using the company’s services, but companies can offer incentives for users to share their data and allow for it to be sold.
But there’s an important caveat: Businesses can still share and sell your data even if you’ve opted out as long as the data has been anonymized, meaning your identity cannot be discerned from the information. This is a very muddy area because pieces of data can be merged to reveal an individual’s identity. This will be an area that receives scrutiny and could be further restricted in the future.
Penalties to companies that do not comply with the new law, could be fairly stiff. While it’s too early to see how fines will play out in court, the CCPA allows up to $7500 fine per violation if intentional; $2500 if it’s unintentional. A company has a 30-day grace period to fix its privacy procedures once notified by the Attorney General’s office.
Finally, companies can be fined up to $750 per contact if their customers’ data is stolen, but only if the data was unencrypted. And, for the first time, consumers are allowed to sue a company for losing their personal data in a data breach under certain conditions. The idea behind this part of the rules is to encourage companies to protect sensitive data through encryption and other methods, so that if it is stolen, it is of no use to the thief.