The California Consumer Privacy Act (CCPA) is set to take effect on January 1, 2020. As one of the United States’ most expansive consumer protection laws to date, businesses are setting in motion new policies and procedures to ensure compliance. Here are 10 things to know about the new CCPA:
- The development of the CCPA was driven by the 2018 widespread breach of privacy by the Cambridge Analytica data-mining firm that shared the personal data of tens of millions of people. This drove a series of congressional hearings which led California legislators to more thoroughly examine the way that personal data is collected and shared and draft what is now The California Consumer Privacy Act of 2018, or CCPA.
- Assembly Bill 375 was signed into action as The California Consumer Privacy Act of 2018 on June 28, 2018. However, it does not take effect until January 1, 2020. The California Attorney General released a Notice of Proposed Rulemaking Action on October 10, 2019. The public comment period includes four public hearings and comments can be submitted to the Office of the Attorney General by public hearing, mail, or email before 5:00 PST on December 6, 2019.
- Personal information as defined by the CCPA includes 11 categories and is “anything that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” However, de-identified information, aggregated information, and some types of publicly available information are excluded.
- The CCPA applies to all businesses, including nonprofits, that collect personal data and do business in California. Businesses that meet the previous criteria must also satisfy one of the following: have a gross revenue in excess of $25 million, possess the personal data of more than 50,000 consumers, households, or devices, or earn more than half its annual revenue from selling consumer data.
- The CCPA provides very specific rights to Californians such as:
- The right to know what information is being collected about them and whether their personal information is sold or disclosed and to whom
- The right to opt-out of the sale of personal information
- The right to delete their personal information
- The right to access their personal information
- The right to non-discrimination through equal service and price, even when consumers exercise their privacy rights
- Consumers have the right to opt-out of the sale of their personal information. The CCPA requires that a business provides a “clear and conspicuous link” on its website homepage titled “Do Not Sell My Information” or “Do Not Sell My Info.” This link will not require the creation of an account to participate and will enable consumers to opt-out of the sale of their personal information.
- According to an economic impact assessment, the initial cost of CCPA compliance for smaller California businesses (fewer than 20 employees) is approximately $50,000, while the cost for medium (20-100 employees) and medium/large companies (100-500 employees) will be $100,000 and $450,000, respectively. The initial estimate for large companies with over 500 employees is $2 million.
- A special fund known as the “Consumer Privacy Fund” has been created within the General Fund of California’s Treasury to offset costs incurred by the state courts in conjunction with actions taken to enforce the law. It is estimated that the CCPA will protect over $12 billion of personal information used in California advertising annually.
- The CCPA and the European Union’s GDPR (General Data Protection Regulation) do not share the same key requirements. Compliance with one does not imply or guarantee compliance with the other. The scopes, definitions, and requirements of the CCPA and the GDPR are separate and different.
- If a covered business fails to implement and maintain reasonable security measures and unauthorized access of data such as theft, infiltration, or disclosure occurs, the consumer must provide the business with 30 days to cure the alleged violation before filing a lawsuit. Businesses must also advise the consumer after the violation is remedied. If the violation is not remedied and a plaintiff is successful, violations can incur statutory damages ranging from $100-$750 per incident or consumer as well as any relief that the courts deem proper.
Those wishing to view the legislation in its entirety should refer to the specific law as found on the official California Legislative website.
About National Debt Holdings
National Debt Holdings is a receivables management firm assisting creditors with improving cash flow performance from account portfolios. Our team understands the precise balance needed to successfully recover accounts receivable while protecting the brands and reputations of our creditor partners. National Debt Holdings is headquartered in Miami, FL.