CCPA – California Consumer Privacy Act

GDPR is causing waves worldwide

The California Consumer Privacy Act (CCPA) entered into force in June 2018, following the example of the General Data Protection Regulation (GDPR) that became effective in Europe in May 2018. The CCPA is to become legally binding at the beginning of 2020. In the USA, data protection is largely regulated independently by the federal states. The International Association of Privacy Professionals (IAPP) estimates that more than 500,000 companies in the USA alone are affected by the CCPA. They now have to check to what extent they have to revise their business processes and adapt them to the requirements of the CCPA by the deadline of January 1, 2020.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act is a law designed to protect the privacy of Californian consumers. Non-Californian (federal) residents are not covered by the CCPA. Californians who temporarily reside in other states are, however, included.

Who must comply with CCPA regulations?

The Act applies to nonprofit organizations and legal entities that process personal information about Californian consumers (regardless of where the processing company is located). The following thresholds apply:

• Annual gross revenue of more than USD 25 million
• Purchase, sale and use for commercial purposes of data sets of 50,000 consumers
• 50 % of the annual turnover is generated from the sale of consumer data.

What is "personal information" according to CCPA?

According to the CCPA, any information that identifies or describes a consumer is "personal information". The details are set out in a non-exhaustive list of eleven categories of data. These include for example name, addresses, email addresses, location data, biometric data, cookie information, search history, IP addresses, etc.

Which rights do Californian consumers have according to the CCPA?

The CCPA gives Californian consumers the right to protect their personal data, control disclosure and request access.

In particular, Californian consumers have the right:

• to be informed about the categories of information that a company collects, stores, processes and sells about them
• to know to whom the information is sold or disclosed
• to prevent the sale or disclosure of information to third parties
• to a copy of "specific parts" of the personal data to be made available to the consumer by post or electronically within 45 days.
• to be forgotten, i.e. the right request the deletion of the data (this also applies for third-party providers who receive this data from the company)
• to an opt-out before preventing the resale of personal data to third parties
• to non-discrimination

Which penalties are applicable in the event of non-compliance?

If the requirements of the CCPA are not met, the State of California may impose fines of up to $7,500 per record and incident, depending on circumstances such as inadequate safeguards or intent.
These fines appear small compared to the penalties that companies face for violating the General Data Protection Regulation. However, companies in the U.S. risk civil class actions by affected consumers that could lead to a loss of confidence and substantial fines.