California Consumer Privacy Act 2018
The California Consumer Privacy Act became first one of its kind in USA to have a data privacy law aimed at the protection of citizens. On June, 2018 California passed AB 375, California Consumer Privacy Act which was quite similar to EU General Data Protection Regulation (GDPR) but had far more repercussions than the GDPR in terms of penalty.
CCPA The Current Status
- The California Privacy Rights Act is going to replace the California Consumer Privacy Act and will be enforced from January 1, 2023. Experts say that it will be a more extended and detailed version of the current law.
- The Federal Court has recently in a case ruled that the CCPA will not apply retroactively.
CCPA Applicable entities
- All companies that serve California residents and have at least $25 million in annual revenue must comply with the law.
- Companies irrespective of the size and that have personal data on at least 50,000 people or that collects more than half of their revenues from the sale of personal data, also fall under the law.
- Companies aren’t obligated to be based in California and USA or have a physical presence there to fall under the law. All that matters is that they are targeting citizens of California.
- An amendment made in April, 2020 exempts “insurance institutions, agents, and support organizations” as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).
- Name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act.
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behaviour, attitudes, intelligence, abilities and aptitudes.
- Medical data covered under any medical laws: Any health information, records, data and documents protected and covered under HIPAA, other federal or state medical laws including de-identified medical data and medical data for public health use or medical research under HIPAA or any other medical law or policy;
- FCRA covered data: Any personal information of consumers used for consumer credit scoring and reporting protected under the federal Fair Credit Report Act (FCRA);
- Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
- FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
- Farm credit data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act.
Data Controller Obligation
- Obtain consent prior to collecting and processing sensitive personal data (g., data revealing certain protected characteristics, genetic or biometric data, data collected from children or precise geo-location data)
- Comply with data processing principles such as purpose limitation and data minimization.
- Implement and maintain the cybersecurity and network security infrastructure so that it does not hamper the confidentiality, integrity and accessibility of personal data.
- They should enter into a written contract with data processors to provide instructions and put limitations on its code of conduct such as the methodology of processing the data, type of data to be processed, time limit for processing the data and mandates of both the parties.
- Conduct a data protection impact assessment and document the whole process formally while processing of sensitive personal data is taking place or associating with activities related to advertisement, selling of personal information of consumers, profiling and other activities which put consumers at high risk of breach.
- Inform consumers of the various privacy rights afforded to them under the CCPA and honour those rights.
Data Subject Rights
The following are the rights of a data subject under CCPA:
- Confirm- The consumer shall have a right to confirm whether or not a controller is processing his/her personal data.
- Access- The law provides the consumer right to access his/her data which is collected and processed by the data controller.
- Rectify- The consumer has a right to have inaccurate personal data being stored or processed by the data controller be corrected.
- Delete- The consumer has the right to have his personal data stored or processed by the data controller is deleted.
- Data Portability- The consumer has a right to obtain a copy of the data he/she provided to the data controller in a machine readable format. The law subjects the consumer the right to transfer his/her data to another data controller without any hindrance.
- Opt-out- The consumer has the right to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling.
Repercussions for Non-Compliance
- Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn't resolved, there's a fine of up to $7,500 per record.
- The Act provides for an individual's right to sue, for the first time and it allows class action lawsuits for damages.
- Again, there's a 30-day window that starts when the consumers give written notice to a company that they believe their privacy rights have been violated. If it's not cured, and the attorney general declines to prosecute, then they can bring a class action suit and it's not just around breaches.
- The law assigns specific penalties should unauthorized access occur, whether through a breach, exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices. As currently written, it allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
The California Attorney General will have enforcement authority over CCPA and will have power to issue non-compliance fines which may amount upto $7500 per violation. The CCPA also provides a private right of action which is limited to data breaches. Under the private right of action, damages can come in between $100 and $750 per incident per consumer.
The businesses in California should go through the new CPRA legislation properly and start making necessary changes to their business structure to be compliant with the new law instead of waiting for January 1, 2023.
Prantik Mukherjee is a lawyer specializing in data protection and privacy compliance.