California is about to get a new privacy law which, like Europe’s GDPR, intends to secure users and their data on the internet. However, unlike GDPR, the California Consumer Privacy Act, or CCPA for short, takes a holistic approach to the user’s private data. In this article, we want to explain what CCPA is all about; specifically, we want to share what we think are a few things everyone should know about this law. So let’s get started…
1. What’s the goal of the California Consumer Privacy Act?
Commonly referred to as CCPA, the California Consumer Privacy Act aims to strengthen privacy privileges and consumer protections for Californians. The bill is officially known as AB-375, and it intends to provide residents of California with the right to:
- See what personal data is being collected about them.
- Identify whether their personal data is sold or disclosed and to whom.
- The freedom and voice to say no to the sale of personal data.
- Ability to access their personal data.
- Request and demand a business to delete any personal information they have collected from a consumer.
- Not discriminate against anyone for exercising their privacy rights.
To sum it up, the CCPA provides California residents with more control over their online data and how that information gets shared with others.
2. What data does the CCPA cover?
CCPA’s goal is to safeguard the user’s personal information, which is defined as the following:
- Basic data such as real name, postal address, IP address, email address, account name, Social Security number, driver’s license number, passport number, or any other similar details;
- Commercial information, such as records of personal property, products or services purchased;
- Biometric information;
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, or similar information;
- Professional or employment-related information;
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99);
- The information that creates a profile on internet users such as consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
3. To whom does CCPA apply?
The CCPA applies to any business that collects consumers’ personal data, which does business in California and satisfies at least one of the following thresholds:
– Has annual gross revenues over $25 million;
– Buys or sells the personal information of 100,000 or more consumers or households; or
– Earns more than half of its annual revenue from selling consumers’ personal information.
The law requires organizations to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
4. When was the bill passed and when it will come into effect?
The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018. It was introduced by Ed Chau, a member of the California State Assembly, and State Senator Robert Hertzberg.
CCPA is going to come into effect from January 1, 2020.
5. What fines are included in the CCPA?
Fines for violating the CCPA go up to a staggering $7,500 per user per intentional violation of the law. One would think that the likes of Google and Facebook — both of which have trackers on millions of websites across the internet — would be afraid of the new law.
However, so far they don’t seem concerned, with Facebook even saying that the new privacy law doesn’t apply to its trackers. We’re not 100% confident that will be the case, and chances are we’ll have to wait for another few months — or perhaps a year — to see how CCPA works in real-life situations. If someone manages to prove that trackers such as Facebook Pixel and Google Analytics are not complying with the law and have indeed violated their right to privacy – we may see the two tech giants paying millions to the affected user(s). More importantly, we may see them changing their practices. And that, we think, is something worth wishing for the New Year. What do you think?