Details of the California Consumer Privacy Act.

Type: Articles
Topic: Compliance

What is the California Consumer Privacy Act (CCPA)?

Another day, another data breach, or so it seems. As of September 2019, at least 4 billion records, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed through data breaches in 2019. Even companies trusted to protect personal information, such as credit reporting bureaus, have undergone massive data breaches. To combat the misuse of data, laws are beginning to pass to further protect consumers. This means that consumer rights are changing, so the way companies protect data has to change as well. 

Real estate mogul Alastair Mactaggart began the campaign for stronger privacy laws. Passed in 2018, the California Consumer Privacy Act (CCPA) is the result of his campaign. This California privacy law, which is effective as of January 2020, gives consumers rights to control the collection and use of personal data. This law can be nerve-wracking for companies that rely on consumer data. However, it’s important to note that the California Consumer Privacy Act of 2018 does not actually stop companies from collecting data. Rather, it puts consumers in control of who has their data, how they use it or sell it, and requires companies to disclose data collection.

At PossibleNOW, our industry-leading compliance experts are here to explain the California Consumer Privacy Act. We can help you implement solutions that keep channels of communication open while honoring the privacy requests of your consumers. The CCPA goes into effect on January 1, 2020. It’s important that your business takes steps toward compliance now. Companies conducting business in California that do not follow consumer privacy rights regulations can be subject to heavy fines. This is the time to learn more about the act and its potential ramifications.

Major Provisions of the California Consumer Privacy Act of 2018

The goal of the CCPA is to give consumers power over the collection and use of their personal data.  And it’s incumbent upon businesses to ensure that consumer data is protected. The major tenets of the act include:

– Consumers have the right to view all data collected about them by all businesses, free of charge. Consumers may request this data twice each year. 

-Consumers also have the right to ask for deletion of their data.

– Consumers have the right to prohibit companies from selling their information to other companies.

– If a business sells consumer information, the consumer has the right to know the category of business to which their information is being sold.

– Consumers have the right to sue negligent companies that expose their information due to a data breach.

– Parents must opt-in for their child’s data to be included in business databases when the child is under 16 years of age.

– Consumers have a right to know why their personal information is being collected.

– Consumers have the right to know how their personal information is being collected. This means that businesses need to disclose which of the consumer’s devices are being used to collect personal information.

How Privacy Laws in California are Enforced

Enforcement will look different on a case-to-case basis. There are two main ways that companies will be held responsible for violations of the CCPA. Private citizens can sue if companies use their data in a way that is not CCPA compliant. If an individual private citizen files a lawsuit regarding CCPA noncompliance, companies will pay between either (1) $1,000 and $3,000 for each violation or (2) the amount of the actual damages, whichever is greater. Civil lawsuits may also be brought forth by the Attorney General, city attorney, district attorney, or city prosecutor. In a civil lawsuit, companies will pay $2,500 per violation and $7,500 per willful violation (a willful violation is when a company knows that a risky or hazardous situation exists, but makes no reasonable attempt to address it). The difference between a violation and a willful violation is important to note because even if a company is unaware that they are in violation, they can be fined anyway – at the lower rate of $2,500 per violation. But the fine increases significantly for companies who know they are committing a violation and choose to do so anyway. 

Who is Protected by the Act?

The act protects all California citizens, including children. The Act does not protect employees or people applying at companies subject to following CCPA regulations. This means that businesses are able to keep tabs on their employees in a way that differs from the data they collect from their customers. 

What qualifies as “personal information” under the California Privacy Law?

Businesses collect information on consumers in many ways. Because there are so many methods of data collection, consumers are often unaware that their data is being collected. Personal information includes data such as:

– names

– addresses

– phone numbers

– data collected on consumer habits. This can vary widely and includes things like sleeping habits, web browsing history, shopping history, health information, personality information, driving history, utility usage, and conversational data recorded by personal devices.

What is Privacy Act Data?

Privacy act data refers to any identifying information collected by businesses, also referred to as PII (or personally identifiable information). This data includes legal name, alias name, address, IP address, social security number, passport number, and other means of personal identification – essentially any information that can be used to identify a specific person. 

However, the CCPA has an even broader definition for personal information. In CCPA section 1798.140, 

(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The phrase to take note of, “capable of being associated with, or could be reasonably linked, directly or indirectly, with a consumer or a household,” creates the potential for very broad legal interpretation around what is classified as personal information. “Indirect” information– like product preference or geolocation data– is much more broad than data that is obviously associated with an identity (PII), such as name, birth date, or social security number.