The California Consumer Privacy Act (CCPA) is a compliant introduced back on January 3, 2018. It wasn’t until June 28, 2018, that the act, also referred to as AB 375, got signed into law.
The act may impose new consequences on the U.S. companies than the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018.
While California doesn’t have some of GDPR’s most punishing requisites, for instance, a small 72-hour window in which a company must announce a breach, the bill intends to secure internet users.
As opposed to GDPR, the California Consumer Privacy Act takes a holistic approach to a user’s private data. The real test for entities is to locate and secure the user’s online private data.
Learn about GDPR and its impact on SMEs.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act, commonly referred to as CCPA, is an act that aims to strengthen privacy privileges and consumer protections for Californians. The bill is officially known as AB-375.
When Was the Bill Passed?
The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018. It was introduced by Ed Chau, a member of the California State Assembly, and State Senator Robert Hertzberg.
When Will the Act Come into Effect?
CCPA is going to come into effect from January 1, 2020.
What’s the Aim of California Consumer Privacy Act
The bill intends to provide residents of California with the right to:
- See what personal data is being collected about California residents.
- Identify whether their personal data is sold or disclosed and to whom.
- The freedom and voice to say no to the sale of personal data.
- Users’ access to their personal data.
- Request and demand a business to delete any personal information they have collected from a consumer.
- Not discriminate against anyone for exercising their privacy rights.
To Whom Does CCPA Apply?
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California and satisfies at least one of the following thresholds:
- Has annual gross revenues over $25 million;
- Buys or sells the personal information of 100,000 or more consumers or households; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
How Will the Act Get Enforced?
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of children between 13 and 16 years to data sharing for purposes (Cal. Civ. Code § 1798.120(c)).
- “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt-out of the sale of the residents’ personal information (Cal. Civ. Code § 1798.102).
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number, for example, 1-800. (Cal. Civ. Code § 1798.130(a)).
- Update privacy policies with the newly required information, including a description of California residents’ rights (Cal. Civ. Code § 1798.135(a) (2)).
- Avoid requesting opt-in consent for 12 months after a California resident opts-out (Cal. Civ. Code § 1798.135(a) (5)).
What’s the Need for CCPA?
The California Consumer Privacy Act (CCPA) is a much-needed policy. With data breaches and cyberattacks becoming more prevalent than ever, internet users now fear the improper use of their online data more than ever.
Under the CCPA, California residents will now have more control over their online data and how that information gets shared with others. Although it’s one thing to draw up these alterations, it’s a whole different challenge bringing them into practice.
What Data Does the CCPA Cover?
CCPA aims to safeguard the user’s personal information. Here’s what the privacy act defines as ‘personal information’:
- Necessary information such as a real name, postal address, IP address, email address, account name, Social Security number, driver’s license number, passport number, or any other similar details.
- Commercial information, including records of personal property, products or services purchased.
- Biometric information of Californians.
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- The information that creates a profile on internet users such as consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Are There Any Gaps in the CCPA Act?
Personal information may differ for everybody, and other states may interpret personal information differently.
CCPA’s broad definition of personal information may be a cause of concern for online businesses as it doesn’t leave any room for them to sustain their business model, especially for advertisers.
Another challenge is how personal information will be regulated. It’s no doubt that the bill is a beginning step towards data protection. Still, it’s worth mentioning that it only applies to California residents. It’s uncertain when other states would follow suit.
Given that the internet is universal, this act is puzzling for those who move in and out of California and for the rest of the internet users around the world.
As a Business, What’s the Effect of CCPA on You?
As an online business, you’re collecting some form of information that’s deemed as ‘personal information’ by the CCPA. Since you’re collecting it without the consumer’s knowledge, your business is no longer exempt from the law.
Given the level of detail that CCPA has outlined for businesses in California, it’s certain that companies should immediately assume any information collected about their customers as ‘personal information’ under CCPA unless they are informed otherwise by legal expertise.
How Do I Ensure my Business is CCPA Compliant?
As the concept of privacy is evolving, businesses will have to keep up and comply with the new regulations which intend to keep the internet a safer place for people of all ages.
As a business, if you’re collecting any personal information on your users, find out where they’re coming from and what laws apply in their state. For the CCPA, you’ll need to update your website with options that give customers the ability to opt-out, and additional controls on how their information is sold.
You would be required to display clear messaging on the website stating what, when, how, and why you collect customer’s information. Once CCPA comes into effect, any business that collects personal information about consumers should reveal:
- The types of personal information it has collected about a particular consumer.
- The kinds of sources from which personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The groups of third parties with whom the business shares personal information.
- The specific pieces of personal information the business has collected about that consumer.
What Does the CCPA Mean for Online Security?
As mentioned earlier, AB 375 sheds immense importance on online privacy and security. It is a response to more than 600,000 petitions that were signed to give birth to this act. Despite tech giants and online businesses pressuring to stop this act from coming into practice, it’s an excellent win for online privacy and security.
Although businesses are not required to report breaches under AB 375, the best course of action for ensuring optimal security is to take steps to secure your digital existence. For an organization that already complies with GDPR, there’s no need to take further action to comply with AB 375 in terms of securing data.
The Way Forward
As the act has moved up from just being a proposed bill to now getting signed into law, the question on every customer and online businesses’ mind is whether this would apply to the rest of the U.S. in the near future.
Social Media Giants and their Response
If so, how social media giants like Facebook and Twitter would react and comply with this. In response to this ruling, Facebook has said that California’s new privacy law doesn’t apply to its trackers.
However, Jacob Snow, a technology and civil liberties attorney for the ACLU of Northern California, has doubted that Facebook’s exemption argument is valid. He said:
“When a website delivers massive volumes of personal information to Facebook, that’s a sale under the CCPA. Facebook’s plans to disregard the law is but another example demonstrating that industry will do anything to protect their bottom line at the expense of Californians’ rights.”
With fines of up to a staggering $7,500/user per intentional violation of the new Californian law, I’d say Facebook needs to watch out. It’s only in Facebook’s benefit that the company ensures its data-protection practices are up-to-date.
The last thing Facebook wants is to risk seeing its privacy bill grow even bigger than before when the social media has already been slapped by the FTC for a $5billion fine. On the other hand, Twitter has vowed to make global privacy changes to comply with CCPA in 2020.
Impact on ISPs and Telecom Industry
Internet Service Providers like Comcast and Verizon will have no other option but to comply with the new rules and regulations according to the CCPA and eventually for different U.S. states.
We’re witnessing a time where internet privacy is under threat and eroding daily. New acts such as the GDPR, Net Neutrality, and the CCPA could bring back the days of the internet where privacy was a thing.
While companies have less time to prepare for the new regulation, it seems that California is trying to build a structure where internet users might actually end up getting paid for sharing their personal information/data.
Though it’s unclear how the law will eventually be executed and implemented, one thing that you can control for now is – the security of your personal information. Either go incognito or stay off the radar with PureVPN.