What is the CCPA?

On June 28 2018 Governor Jerry Brown signed the California Consumer Privacy Act (CCPA), which will enact some of the USA’s most powerful consumer data privacy protections into law.

The CCPA will serve to protect California consumer rights and encourage stronger privacy and greater transparency overall. It will give consumers ownership, control and security over their personal information. Consumers will have the ability to request that any business disclose (and delete) the personal information that it collects and request that their data not be sold to third parties (unless opts-in).

Future state, end to end solution

Why was the CCPA drafted?

There are significant differences between the version of the CCPA that was first proposed as a ballot initiative in 2017 and the version of the CCPA that was ultimately passed by the state legislature in 2018. In general, the version passed by the legislature conferred greater data privacy protections but imposed weaker penalties for non-compliance.

When does CCPA come into effect?

CCPA goes into effect January 1 2020. However, customers will be allowed to request data collected on them in the previous 12 months (i.e. as of January 2019).

Who does the CCPA apply to?

The California Consumer Privacy Act defines a (1) business as a for-profit entity that collects Californian residents’ personal data, (2) companies that do business in the state of California and (3) a business or their parent company or a subsidiary that meets at least one of the following thresholds:

  • Businesses that earn $25,000,000 or more a year in revenue
  • Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
  • Businesses that derive 50% or more of annual revenue from selling consumer personal information

What counts as personal data under the CCPA?

The definition of ‘personal information’ under the CCPA also lists a wide range of standard examples that includes Social Security numbers, drivers’ license numbers and purchase histories, but also ‘unique personal identifiers’, such as device identifiers and other online tracking technologies.

What are "customer rights"?

These data protections give Californians the right to:

  • Know what personal information is being collected
  • Access the personal information that is collected, and request it be deleted
  • Know whether their personal information is being shared, and if so, with whom
  • Opt-out of the sale of their personal information
  • Have equal service and price, whether or not they choose to exercise their privacy rights

What are the fines for breaches of CCPA?

Companies can be ordered in a civil action, brought by the California Attorney General’s Office, to pay penalties of up to $7,500 per intentional violation of any provision of the California Consumer Privacy Act, or, for unintentional violations, if the company fails to cure the unintentional violation within 30 days of notice, $2,500 per violation. Twenty percent of such penalties collected by the State of California shall be allocated to a new ‘Consumer Privacy Fund’ to fund enforcement.