In 2018, just as the GDPR was starting to be enforced in Europe, California passed a law of its own.
The California Consumer Privacy Act 2018 made California the first US state to give its residents a high level of protection and control over their personal information. Fast forward five years and those rights have been amended and extended, and a shiny new regulator, the California Privacy Protection Agency (CPPA), has been introduced.
It’s still called the CCPA
California’s data protection law is still known as the CCPA, even though it was amended by the California Privacy Rights Act (CPRA), which Californians voted for in November 2020. The amended rules came into force on 1 January 2023 and enforcement will begin from 1 July 2023.
A for-profit business that does business in the state of California must comply with the CCPA, providing it meets the following criteria:
- collects personal information of California residents; and
- alone or jointly determines the purposes and means of processing consumers’ personal information; and
- meets any of the following thresholds:
(i) has an annual gross revenue in excess of $25m; or
(ii) buys, receives, sells or shares the personal information of at least 100,000 California residents, households or devices per year (this has been increased from 50,000); or
(iii) derives at least 50% of its annual revenue from selling California residents’ personal information.
What else has changed?
Prior to 1 January 2023, CCPA rights did not extend to employees, job applicants or to personal information collected in a business-to-business context. Now the changes to the CCPA confer rights on all California residents (in any capacity).
Here’s the full list of the rights California residents have over their personal information:
- right to know – similar to the GDPR right of access. Note that the previous restriction to personal information collected in the past 12 months has been removed;
- right to delete – similar to the right to erasure/right to be forgotten under the GDPR;
- right to correct – this is a new right similar to the GDPR’s right to rectification;
- right to opt-out – of the sale of their personal information (under 16s need to opt-in). This right now extends beyond personal information sold to include personal information shared with third parties for the purpose of cross-context behavioural advertising;
- right to limit – the use or disclosure of sensitive personal information to the legitimate business purposes specified in the CCPA such as preventing, detecting or investigating security incidents; and
- right to non-discrimination – which might include charging different prices or providing different levels of service.
Some big businesses such as Netflix, Uber and Microsoft have decided to extend CCPA rights to all Americans, as opposed to California residents only. This could involve less work as companies don’t need to confirm where requesters live, or segregate the personal information held on California residents from non-California residents.
Penalties for non-compliance with the CCPA
Penalties are uncapped at up to $7,500 per intentional violation, or up to $2,500 per unintentional violation. It is widely thought ‘per violation’ means per California resident so an unintentional breach of the CCPA affecting 20,000 consumers in California could attract a $50 million penalty. California residents themselves also have the right to sue in certain circumstances.
The 30 day ‘cure’ period has also been removed. When originally passed, the CCPA included a provision for all businesses to have 30 days to fix alleged violations before being subject to fines and injunctions. The regulators can now proceed directly to enforcement action, although it does still have the option to give businesses the opportunity to fix the issues. This will depend on whether it was an intentional violation and if efforts have already been undertaken prior to being notified by the regulator.
Previously, only the California Attorney General could issue penalties for CCPA breaches. Now there are a number of enforcers, including the newly established CPPA. District Attorneys in any county in California and the City Attorneys in the state’s four largest cities (Los Angeles, San Diego, San Jose and San Francisco) can also fine businesses.
Complying with the CCPA
Like the GDPR, the principles of purpose limitation, data minimisation and storage limitation are now at the heart of the CCPA.
To ensure compliance, if you need to comply with the CCPA you should:
- undertake a personal information inventory – know what categories of California residents’ personal information you hold, where you hold it, how you hold it and who you share it with;
- review your processes – make sure you have mechanisms for facilitating the right to opt-out of the sale/sharing of personal information and the right to limit the use of sensitive personal information. Businesses must also comply with opt-out preference signals such as Global Privacy Control. The first ever financial settlement for breach of the CCPA ($1.2 million) was partly due to beauty retailer Sephora’s failure to process customer requests to opt out;
- implement a verification process – you’ll need to be able to verify the identity of a person making a right to know, correct or delete request. You also need to verify the age of children providing their own opt-in consents to selling/sharing and/or use of their sensitive personal information (13-15 year olds) and that the person giving consent for a child under 13 is actually their parent/guardian;
- update your privacy notices – consumers must be notified of their CCPA rights, how to exercise them and the categories of personal information you collect, sell/share and disclose;
- take appropriate security measures – California residents have the right to sue organisations if certain personal information is compromised because reasonable security procedures aren’t in place;
- check your relationships with data processors and other vendors – ensure you have written contracts with data processors (known as ‘service providers’ in the CCPA) and ‘contractors’ drafted to fall within the CCPA exception to a ‘sale’ or ‘sharing’ of personal information;
- establish record keeping and reporting procedures – records of all consumer CCPA requests and responses must be kept for a minimum of 24 months. Businesses that sell or receive at least 10 million Californian consumers’ personal information each year also have additional annual reporting obligations;
- train all your staff who handle privacy enquiries how to comply with the CCPA; and
- evaluate your business model – the definitions of ‘sale’ and ‘sharing’ encompass more than providing personal information for money. Organisations which rely on revenue from targeted advertising may see that revenue fall if California residents invoke their ‘do not share or sell’ right en masse.