CCPA: What you need to know in preparation for your CIPP/US | CIPP/E exam
The California Consumer Privacy Act (CCPA) will enter into force on January 1, 2020. This law is very similar to the GDPR, but there are also significant differences. Read this article so has to become aware of the essential parts of this law.
Territorial and Material Scope CCPA
In short, the CCPA applies to businesses that collectively or solely collect consumers’ personal information and determine the purpose of its processing. This is quite similar to the GDPR. Just as with the GDPR, the law applies to both online and offline businesses. To be covered by the CCPA, businesses must carry out their activities in the State of California and meet one of the following three criteria:
- Have at least 25M + in annual revenues;
- More than half of the revenue must come from selling consumers’ personal information; or
- The company must have received or bought personal information of about 50,000 or more consumers, households, or devices and use it for commercial purposes. This also includes credit card payments.
Such criteria cannot be found within the GDPR. The scope of application of the CCPA is, therefore, much more limited.
What information is protected?
The law protects the movement of consumer personal information. A consumer is almost every person. Personal information is broadly defined; it concerns information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Only certain public information is excluded. The CCPA thus protects approximately the same information as the GDPR.
What rights do those involved have?
Just like the GDPR, the CCPA contains various rights for those involved (consumers). For example, the new law includes the obligation to indicate, upon request and when collecting information, which categories of information are collected and how they will be used. A company is obliged to delete or transfer the information upon request (data portability). Consumer requests must be responded to without unreasonable delay, but in any case within 45 days. This period may be extended under certain circumstances.
In addition, the law contains various opt-in and opt-out rights. For example, opt-in is required for sharing information from young people (under the age of 16). An opt-out right must be offered for selling (and reselling) data to third parties. Companies are required to place a “Do not sell my information” link on their website.
The CCPA also contains an anti-discrimination regulation. This arrangement means that consumers should not be discriminated against because they exercise their rights. It is accepted – within certain limits – that they miss out on discounts.
Finally, the CCPA stipulates that consumers should be informed of their rights and the anti-discrimination regulation in privacy policies.
The major role of the Attorney General
The Attorney General of California may set further rules on various topics. The AG also maintains the CCPA. The penalty for violation is $2,500 per violation up to a maximum of $ 7,500 if the violation is intentional. Consumers are not entitled to a private course of action, except for a data breach where non-encrypted information has been leaked.
Want to know more about privacy laws and regulations?
Click here to start your privacy training now.
References and further reading: