California Consumer Privacy Act
By – Paricha Goyal
The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg. Amendments to the CCPA, in the form of Senate Bill 1121, were passed on September 13, 2018. Additional substantive amendments were signed into law on October 11, 2019.The CCPA became effective on January 1, 2020.
Applicability of this Act
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:
• Has annual gross revenues in excess of $25 million;
• Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
• Earns more than half of its annual revenue from selling consumers’ personal information.
Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
Purpose of the Act
The intentions of the Act are to provide California residents with the right to:
• Know what personal data is being collected about them.
• Know whether their personal data is sold or disclosed and to whom.
• Say no to the sale of personal data.
• Access their personal data.
• Request a business to delete any personal information about a consumer collected from that consumer.
• Not be discriminated against for exercising their privacy rights.
Definition of personal data under the Act
CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
Key privacy provisions in the Act
Companies must allow consumers to choose not to have their data shared with third parties. That means that companies will now have to be able to separate the data they collect according to the users’ privacy choices.
A company cannot refuse users equal service, it can offer incentives to users who provide personal information. This provision might be subject to change, but as stated today, it gives you the ability to offer discounts to people who are willing to have their data shared or sold to third parties.
Another major difference with GDPR is that the California law allows customers much greater access to their records, says Subra Ramesh, SVP of products at Dataguise. A California consumer has the right to find out what information a company collects about them. Most companies are going to have trouble pulling that information together.
That data is contained in multiple storage platforms, in different file times. Most file search tools lack the ability to search across the modern file repository ecosystems so prevalent today. Cross-silo file management is a major challenge. It is difficult to understand context for each file if they are scattered inside different repositories. Compliance issues are associated with pulling together data.
Then there’s the time limit. After the access request, a company has 45 days to provide them a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months, it must give the names and addresses of the third parties the data is sold to.
This was much needed act as there was no act related to consumer privacy in California. California passed a consumer privacy act in 2018. California consumer can demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach. This was the power given to the consumer under the act.