California’s data protection law went into effect on 1 January, 2020. It is far and away the most robust piece of legislation dealing with consumer privacy in the United States. While the California Consumer Privacy Act (CCPA) applies primarily to California businesses, it will likely have some knock-on effects for anyone who does business within the United States, especially when dealing with personal data.
Chances are that if you are a company that is in compliance with GDPR, you will have adequate measures in place to protect personal data, but may need to change some aspects of your business and contract terms to be in full compliance of the CCPA. The following are some of the highlights of the new regulation which may impact on you if you are doing business in the United States.
If you are doing any business in California (including any sales), you will be considered a ‘covered business’ if you have annual revenues over $25 million; or buy, receive or sell the personal information of at least 50,000 consumers, households or devices; or derive at least half your annual revenues from selling consumer information. Califonia consumers will benefit in that they now have the right to know how their personal information is used or sold, and they can further opt out of the sale of their personal information. It should be noted that the CCPA may apply to any entity which conducts business in California – even if they are not physically present in the state. The law may also apply to you if you are a service provider supporting a business caught by the CCPA.
The definition of personal information in the CCPA is similar to GDPR, if more explicit. The California Attorney General recently made it clear that whether something is personal information depends on whether the business maintains information in a way which “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” So, merely collecting an IP address, without anything else, makes it unlikely that the information could be used to identify someone under the CCPA.
Unlike GDPR, the CCPA further lists a number of identifiers of what “personal information” could include, and the usual suspects are there: name, address, IP address, email address, social security number, etc. But the CCPA also specifically lists browsing history, geolocation data, and professional information, among other identifiers. This is, of course, information which is already included in GDPR, with its broad definition of personal data being any information relating to an identified or identifiable person who can be identified from the information.
The law went into effect on 1 January 2020 – however, the California Attorney General’s office has announced that it will not enforce any breaches in compliance until at least 1 July 2020. He has also made it clear that (for now at least) his office will prioritise the worst offenders of the law. So, big breaches from big companies, where sensitive information like health or financial information, will be on their radar.
However, lawsuits lodged by private consumers are still a possibility, so businesses should ensure they are in compliance now.
The majority of consumers who will benefit will of course be Californians; but nine other states are considering similarly protective laws, and there has been a consistent lobby in the U.S. Congress for federal protection. There is a sea change among tech companies and legislators to create more robust rights for individuals and their privacy, so expect to see a national reaction to the implementation of this law.
The GDPR no doubt helped provide impetus to the passage of the CCPA. The fact that the global tech giants of Facebook, Google and Apple are based in California gave an incentive for lawmakers and voters to set a precedent. People are beginning to recognise that data is valuable, and are wary of their data being used for purposes they were not aware of, nor consented to. The recent elections, mining of social media data and the Cambridge Analytica scandal have clearly helped push personal data and privacy concerns at the forefront of new legislation. Privacy experts feel that this is a big step in pushing the U.S. government into a federal data protection law, thus unifying the patchwork that currently exists in the U.S.
If you have any questions about the CCPA and how your business might be affected, please contact Danielle Prado.