The California Consumer Privacy Act, also known as CCPA, was established to safeguard the data and privacy of consumers. Passed by the California state legislature in June 2018, effective on January 1, 2020, and enforced starting on July 1, 2020, CCPA was the first comprehensive privacy law implemented in the United States.
Under CCPA, consumers have the right to:
- Refuse sale, disclosure, or use of their personal information;
- Opt-in consent for minors under 16 years old, and receive consent from a parent or guardian if they are under 13 years old;
- Access their personal information;
- Delete their personal information;
- Know if their personal information has been disclosed or sold, and to whom;
- Not be discriminated against if they exercise these rights.
Who Does CCPA Protect?
Under CCPA, consumers are considered any California resident. California residents include every natural person who resides in the state, even if they are physically outside of California for a temporary or transitory purpose.
Other Privacy Laws
Other privacy laws that are currently in effect include:
- California Privacy Rights Act of 2020 (CPRA), also known as CCPA 2.0: (Discussed below)
- Virginia Consumer Data Protection Act (CDPA): The Virginia CDPA (HB 2307/ SB1392) passed the Virginia House of Delegates and the state Senate on February 5, 2021, and will be enforced beginning on January 1, 2023.
- New York: NY SHIELD Act: The NY SHIELD (Stop Hacks and Improve Electronic Data Security) Act was signed in 2019 and went into effect on March 1, 2020. The NY SHIELD Act requires businesses to adopt safeguards for the private information of New York residents, and expands New York’s security breach notification requirements. Every employer with employees in New York, even if they are headquartered out of state, must comply with the NY SHIELD Act, because “private information” includes a person’s name and social security number.
- European Union: General Data Protection Regulation (GDPR): GDPR was signed in 2016 and went into effect in 2018, making it the oldest privacy law in effect.
What is GDPR
To understand CCPA, it’s important to understand GDPR, as it inspired large sections of CCPA. In fact, CCPA is sometimes referred to as “GDPR lite,” even though some of the classifications of CCPA are stricter than those in GDPR. However, GDPR is still considered the toughest privacy and security law in the world and is known to penalize companies with hefty fines in the hundreds of millions.
GDPR imposes obligations on any organization worldwide that targets or collects data related to people in the EU. The consequences for failing to comply with GDPR can result in fines of up to €20 million (roughly $23 million) or 4% of a company’s global annual revenue of the preceding financial year, whichever is greater.
The largest GDPR fine thus far was €746 million (approx $877 million) to Amazon in July 2021. The second largest on record was even more recently given to Whatsapp in September 2021 and amounted to €225 million ($267 million).
If a business violates the CCPA regulations, consumer lawsuits can be levied against the business. These lawsuits can include statutory damages of anywhere from $100 to $750 per consumer per incident, or the cost of actual damages caused by a data breach, whichever is greater.
Beginning in 2023 with the implementation of CPRA (aka CCPA 2.0), these fees will increase. Violations of CPRA will allow the California Attorney General’s office to seek civil penalties of up to $2500 for each violation and up to $7,500 for each intentional violation of the CCPA.
To understand the financial ramifications of the new fines, the $7,500 penalty was applied per consumer per incident for the data breaches reported to the Attorney General (AG) from 2014-2016. The result would have been a $375 billion total AG enforcement risk.
Who Does CCPA Apply To?
CCPA applies to any company that conducts business in California. This includes businesses headquartered or physically located outside of California or the United States.
Businesses that must comply with CCPA must also meet one of the following criteria:
- Gross revenue of $25 million or more;
- Receive, buy, sell, or share information on 50,000 California residents, devices, or households. Starting in 2023, this number will increase to 100,000 and will no longer include devices. This means that more small businesses will be outside of the scope of CPRA.
- 50% or more of the company’s annual revenue must come from selling personal information.
Not all organizations are regulated under CCPA. Organizations that are exempt under CCPA include credit bureaus, certain financial institutions, insurance firms, and those whom are regulated by certain other laws, including:
- Health Insurance Portability and Accountability Act (HIPAA): Protected Health Information (PHI) collected for the treatment, payment, or healthcare operations would qualify for the CCPA HIPAA exemption. Healthcare information that is collected for other purposes is not exempt.
- Gramm-Leach-Bliley Act (GLA) Financial Modernization Act of 1999: US federal law requires financial institutions to explain how they share and protect their customers’ private information. Organizations that are regulated under GLA are exempt from CCPA regulations.
- Job Candidates, Employee data, and business-to-business (B2B) communications that collect personal information: While these were originally within the CCPA, in September 2020, California Governor Gavin Newsom signed into law amendment AB 1281 which grants employee and B2B exemptions through January 1, 2022. The exemptions are included in CPRA through 2023.
- Nonprofits: Not all nonprofits are exempt; however, many do qualify for a nonprofit exemption.
What is “Personal Information” under CCPA?
Under CCPA, personal information includes:
- Email address
- Postal address
- Demographic data
- Social Security Number
- Driver’s License Number
- Records of purchased products
- Geolocation data
- Internet browsing history
- IP address
- Biometric data (e.g. fingerprints)
- Financial information (e.g. credit card data)
- Account name or another online identifier
- Personal inferences: Inferences from other personal information that could be used to create a profile about someone’s characteristics and preferences.
Information that is not included under CCPA includes publicly-available information that is from federal, state, or local government records. For example, professional licenses and public real estate/property records are not included.
Enforcement of CCPA
While CCPA is currently enforceable, it is rather difficult to find definitive answers about how it is actually being enforced. Lawsuits have already been filed, but very few public actionable cases have occurred. Rather than immediately following public channels, the California Attorney General is issuing private notices of non-compliance to companies. If companies are in violation of CCPA, they currently have 30 days to cure the violations before public lawsuits are brought against the company.
Changes with CPRA (CCPA 2.0) Coming 2023
CPRA was passed in the November 2020 election as a ballot initiative. It will go into effect in January 2023 and enforcement will begin on July 1, 2023. CPRA is an amendment to CCPA; not a replacement.
Some of the most prevalent amendments contained within CPRA include:
- Closing one of the largest CCPA loopholes by including companies that are “sharing,” not just “selling,” data.
- Giving consumers the ability to correct inaccurate personal information possessed by businesses.
- Providing new rules that govern opt-out rights connected to “automated decision-making technology.” This includes consumer/employee profiling tied to work performance, economic circumstances, health, location, and other factors.
- Creating a new category of “sensitive personal information” (SPI) that is subject to higher fines. The SPI will include Social Security, driver’s license, or passport numbers; financial account information; precise geolocation; race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information; and information about sex life or sexual orientation.
Additional changes under CPRA will include:
- The creation of the California Protection Agency. The California Privacy Protection Agency will have a $10 million annual budget to enforce CPRA through administrative processes. However, the AG office will retain the enforcement authority of CPRA.
- Fine increases to $2,500 for negligent violations and $7,500 for intentional violations.
- A 12-month lookback period that begins on January 1, 2022. Data collected from this date forward is subject to CPRA regulations, even though CPRA won’t officially go into effect until January 2023.
- B2B and employee exemptions that have been extended to January 1, 2023.
- No more 30-day violation cure period. However, the AG will still have the jurisdiction to give companies an unspecified amount of time to cure violations that are identified.
Flaws in the CCPA
Some of the largest flaws with the CCPA include the following:
- Individual Control of Data: The way individual data protection laws are being formed and shaped is flawed, because “individual control of data” is fundamentally flawed. Individuals cannot know what the data they reveal means when aggregated, and cannot therefore safely control the spread of their own personal information.
- Anonymization: “Anonymization” and collecting data only in aggregate does not fully protect individual identities. Our habits are very specific and often unique. Therefore, anonymized identifiers can often be reverse-engineered and used to track individual people.
- Consumer Short-Term Focus: Consumers overvalue short-term gains and undervalue long-term consequences. For example, consumers are likely to give up locational information for the immediate payoff of access to a free app, even where there is known damage in the long run.
- The complexity of CCPA/ CPRA
- New and ambiguous language of CCPA: There are many phrases and ideas within CCPA that are vague or undefined. It can therefore be unclear how to stay compliant with CCPA or how to enforce it in a business environment.
Flaws do not mean that we should not have data privacy protection laws; rather the opposite. It does mean that we must continue to look for more creative and comprehensive ways to ensure that people’s privacy is protected.
Key Info for Business and Our Clients
For both Grio and our clients, there are some best practices that we can follow to aide in compliance with both CCPA and the upcoming CPRA:
- Update privacy policies (even if you are already GDPR compliant): Under CCPA, you need to provide four notices when utilizing consumer data, including a website notice, notice of collection, notice of opt-out (not included in GDPR), and a notice of financial incentive. Some of these notices are vague under the law, which makes them more difficult to follow.
- Understand changes to the 12-month lookback period: Certain information provided to consumers until CCPA will no longer be limited to 12-months. Under CPRA, a consumer will have the right to access all of the personal information data that a company maintains; not just information collected in the prior year.
- Ensure requests for access and deletion are valid: Under the law, there is a training requirement for people handling these types of requests to verify that all requests are valid.
- Maintain reasonable security procedures: Under CCPA, companies can be fined for data breaches as a result of a failure to “implement and maintain reasonable security procedures and practices.” However, CCPA does not define what “reasonable security procedures” entail.
- Follow the CPRA Retention Limitations: Under CPRA, there are limits to how long you are able to store consumer data. You must additionally disclose how long you are keeping data and abide by those timelines.
- Stay updated and informed.
- Consult legal and compliance experts.
Our Collective Responsibility
Within the tech industry, we all have a collective responsibility to protect the data and privacy of the people who use our products. As we create new applications, we should always ensure that we are following these guidelines and more:
- Do not collect any data that is not absolutely necessary.
- Delete data no longer in use. This minimizes risk not only to consumers but also to clients, Grio and you as an individual.
- Record what types of data you are collecting, from where, and to whom you are sending it.
- Understand and communicate how data is used, where it is stored, and who has access.
- Add as many security layers as possible to protect personal data. Encrypt sensitive information and limit access to as few people as possible.
- Consider security throughout the entire product development lifecycle.
Overall, we at Grio are committed to staying informed and to continuously improving data protection for our consumers and our clients.
All content is intended for general information only, and should not be construed as legal advice applicable to your particular situation.