The California Consumer Privacy Act (CCPA) will enter into force on January 1, 2020. This law is very similar to the GDPR, but there are also important differences. Read this article so that you are aware of the most important parts of this law.
Territorial and material Scope CCPA
In short, the CCPA applies to businesses that collectively or solely collect consumers’ personal information and determine the purpose of its processing. This is quite similar to the GDPR. Just as with the GDPR, the law applies to both online and offline businesses. To be covered by the CCPA businesses must do business in the State of California and meet one of the following three criteria:
• Have at least 25M + in annual revenues;
• More than half of the revenue must come from selling consumers’ personal information; or
• The company must receive or buy the personal information of 50,000 or more consumers, households, or devices and use it for commercial purposes. This also includes credit card payments.
Such criteria cannot be found within the GDPR. The scope of application of the CCPA is therefore much more limited.
What information is protected?
The law protects the movement of consumer personal information. A consumer is almost every person. Personal information is broadly defined; it concerns information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. Only certain public information is excluded. The CCPA thus protects approximately the same information as the GDPR.
What rights do those involved have?
Just like the GDPR, the CCPA contains various rights for those involved (consumers). For example, the new law contains the obligation to indicate, upon request and when collecting information, which categories of information are collected and for which they are used. A company is obliged to delete or transfer the information on request (data portability). Consumer requests must be responded to without unreasonable delay, but in any case within 45 days. This period may be extended under certain circumstances.
In addition, the law contains various opt-in and opt-out rights. For example, opt-in is required for sharing information from young people (under the age of 16). An opt-out right must be offered for selling (and reselling) data to third parties. Companies are required to place a “Do not sell my information” link on their website.
The CCPA also contains an anti-discrimination regulation. This arrangement means that consumers should not be discriminated against because they exercise their rights. It is accepted – within certain limits – that they miss out on discounts.
Finally, the CCPA stipulates that consumers should be informed of their rights and the anti-discrimination regulation in privacy policies.
Major role Attorney General
The Attorney General of California may set further rules on various topics. The AG also maintains the CCPA. The penalty for violation is $ 2,500 per violation up to a maximum of $ 7,500 if the violation is intentional. Consumers are not entitled to a private course or action, except for a data breach where non-encrypted information has been leaked.
Start privacy training?
Want to start privacy training? Read more.
References and further reading: