People in cybersecurity have been buzzing about the GDPR, a data protection law that took effect in May 2018 and now applies businesses and citizens in the European Union (EU). In fact, there’s been little talk of much else. But the California Consumer Privacy Act (CCPA) of 2018, signed just one month later in June of this year and taking effect on January 1st, 2020, is nearly as groundbreaking. In fact, California will be trailblazing its way toward increased security as the first state in the nation to pass such a law. Internet services, software developers, and other tech companies have the rest of this year and all of 2019 to get ready for the CCPA. And as a result, consultants, lawyers, and data security professionals should start preparing companies for the new law right now. For some businesses, this effort will demand a major overhaul of operations. So, if you don’t know much about California’s new mandates, you need to read this:
Who does the CCPA apply to?
The language in the Act, which can be read in its entirety here, specifically refers to “California consumers.” This definition includes residents of the state of California who are engaging in online activity. Just as the GDPR applies to EU resident data—regardless of where the data is geographically stored, transferred or based—the CCPA applies to the data of Californians, wherever in the world it might be.
What types of data does the CCPA cover?
Types of information referenced in the Act that the CCPA will protect include:
- Data that can be used to identify a specific individual, including but not limited to names, aliases (usernames), home location, UIDs, IP addresses, email addresses, account names, social security numbers, driver’s license information, and passport numbers.
- “Characteristics of protected classifications,” such as race, ethnicity, or gender.
- Biometric data like fingerprints, iris scans, DNA, face scans—and any other types of physical body part that can be used to authorize access.\
- “Commercial information.” Those are details of the business a specific Californian does with a company. So that could be information like what sort of Netflix plan they have, which games they’ve been playing on the PlayStation Network, what they bought on Amazon, and any details about which products and services an individual receives.
- Information about how an individual uses the internet, such as “browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.”
- Geolocation data, and “audio, electronic, visual, thermal, olfactory, or similar information.” This definition includes personal images, voice recordings, and as someday when technology supports it—what something smells like!
What new rights will Californians enjoy as a result?
Here are some of the benefits to remember, verbatim from the Act itself:
- “A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer.” So for example, if a web service wants to find a user’s mailing address or birthdate, all they are required to do is to inform that person about the specifics of the data they collected as a result.
- “A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer.” This means companies who handle the personal data of Californians must notify the user directly if they decide to sell it to another business. But honestly, few people will likely have the foresight to make such a conscious decision.
- “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer not to sell the consumer’s personal information. This right may be referred to as the right to opt out.” Users can exercise this right at anytime according to the new Act. If a consumer specifically communicates that they don’t want their personal data sold, it can’t legally be done.
What does this mean for businesses?
Here are some of the specific requirements that the law has for organizations which may have data pertaining to Californians.
- If an organization might possibly consider selling an individual’s information, there must be something on their website that says “Do Not Sell My Personal Information,” allowing Californians to opt out.
- When an organization wants to collect data on a Californian, the individual must be informed in some way about the type of information the organization wants to collect and why. How will the information be used? The responsibility to inform the user is on the organization.
- The fines for violating the CCPA are modest as compared to those of the GDPR. Nonetheless, these fines can really add up when one organization is penalized for misusing data on thousands of consumers. “Any consumer who suffers an injury in fact, as described in subdivision (a) of this section, shall recover statutory damages in the amount of one thousand dollars ($1,000) or actual damages, whichever is greater, for each violation from the business or person responsible for the violation, except that in the case of a knowing and willful violation by a business or person, an individual shall recover statutory damages of not less than one thousand dollars ($1,000) and not more than three thousand dollars ($3,000), or actual damages, whichever is greater, for each violation from the business or person responsible for the violation.”