The California Consumer Privacy Act (CCPA), enacted in 2018 and taking effect on January 1, 2020, gives consumers in California additional rights and protections regarding how businesses may use their personal information. The CCPA imposes many obligations on businesses that are similar to those required by the General Data Protection Regulation (GDPR) enacted by the European Union (EU). Nonetheless, a business that already complies with the GDPR may have additional obligations under the CCPA.
- The California Consumer Privacy Act (CCPA) took effect on January 1, 2020.
- It gives consumers in that state added rights regarding their personal data.
- Businesses face various obligations in order to comply.
Rights For California Consumers
- A right to know what personal data is collected, used, shared, or sold by businesses.
- A right to delete personal data.
- A right to prohibit the sale of personal data. Children under the age of 16 must give explicit consent to have their data eligible for sale, and a parent or guardian must give explicit consent for a child under the age of 13.
- A guarantee that consumers who exercise their rights under the CCPA will not be penalized with higher prices or lower levels of service than those who do not.
What Businesses Are Subject to the CCPA
- Businesses that meet at least one of the following three criteria are subject to the CCPA.
- Gross annual revenues of $25 million or more.
- Businesses that purchase, receive, or sell personal data from 50,000 or more individuals, households, or devices.
- Sales of personal data represent 50% or more of annual revenues.
- Additionally, businesses that handle personal data from more than 4 million consumers eventually may face additional obligations.
Obligations For Businesses
- Notifying consumers in advance of the personal data being collected.
- Making it easy for consumers to exercise their rights under the act, such as by providing links on their websites and mobile apps to prohibit selling their data.
- Responding within specific time frames to requests made by consumers under the act.
- Verifying the identity of consumers making requests under the act.
- Disclosing any financial incentives offered in exchange for the retention or sale of personal data, as well as how the value of this data was calculated. Also, businesses must explain why they believe such incentives to be permitted under the CCPA.
- Keeping records of all requests made under the act and how they responded.
- Maintaining data inventories and mapping data flows.
- Disclosing data privacy policies and practices.
Scope and Cost
According to estimates prepared by Berkeley Economic Advising and Research, LLC., for the Standardized Regulatory Impact Assessment released in August 2019, the CCPA will protect personal data worth over $12 billion that is used in advertising in California each year. The cost of compliance with the draft regulations, but excluding general compliance costs with the underlying CCPA law, is estimated in the same report to total somewhere between $467 million and $16.454 billion in the period from 2020 to 2030.
Under the provisions of the CCPA, the Attorney General of California is required to seek input from a broad segment of the public to guide the formulation and implementation of regulations that are designed to further the goals of the act. Pursuant to this provision, the Attorney General held a series of public hearings in early December 2019, and December 6, 2019 was the deadline for written comments from the public.
Implementation and Concerns
While the CCPA took effect on January 1, 2020, enforcement, including the imposition of fines, will be delayed until June. Internet-based businesses, many of which are based in California, have been among the most vocal opponents of the law, arguing instead for U.S. federal legislation that would set uniform standards across the nation. Part of their concern is that each violation of the CCPA potentially could trigger thousands of dollars in fines, which can add up to massive amounts across perhaps millions of users in California alone.
However, internet giants Facebook Inc. (FB) and Google parent Alphabet Inc. (GOOGL, GOOG) already are compliant with the EU's GDPR, which has stronger protections than the CCPA, notably by requiring opt-ins for sharing personal data, rather than merely facilitating opt-outs, as does the new California law. As a result, some observers believe that the CCPA will be more burdensome for smaller players, and thus entrench the leaders in online advertising.