California Consumer Privacy Act – Effect on Data Privacy

On June 28 this year, The California Consumer Privacy Act (CCPA) was passed, just one week after being introduced. The new law mimics the EU’s General Data Protection Regulation (GDPR), which came into effect in May.

Residents of California can now find out what *personal information companies are holding on them. They have similar rights as EU residents, including:

• the right to request the deletion of their information;
• the right to demand that their data is not be passed to third parties, and;
• take legal action (in some circumstances) if their data is not handled appropriately.

*Under the CCPA “personal information” is information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

While the rest of the U.S. look on, California is the emerging leader that could be setting the standard for other states to follow.  The introduction of CCPA enables America to take a stronger position on data protection. The new law provides online users with the security they are looking for when using the web.

I think it’s going to set the standard across the country that legislatures across the country will look to adopt in their own states

~ Democratic state senator Bob Hertzberg talking to the Washington Post.

However, the CCP does not become law until 2020. This gives tech companies plenty of time to lobby against the regulations, to potentially have the toughest measures removed.

Rapid adoption of data privacy

It is evident that the Data Privacy revolution, which began in the EU, is rapidly spreading throughout the U.S. Not to mention the rest of the connected world. Data privacy is already impacting both data controllers and data subjects, with wide-ranging effects.

California’s Consumer Privacy Law – a civil right

Some leading critics see the CCPA as ‘new gold’ for American citizens. California has been commended for being first state in the country to pass a law for governing data privacy. Protecting and controlling the use of personal data “makes our democracy stronger and less vulnerable to global economic and technological forces,” said Sri Ambati, founder and CEO at H2O.ai

Wake-up Call for Tech Companies

With data breaches becoming an everyday occurance, CCP represents a long overdue wake-up call for big tech companies. Having access to millions of customer records carries with it a duty of care, to protect peoples personal data. Under the CCP, violations will undoubtedly be met with stiff penalties for the misuse of this information.

Worldwide trend toward stricter data privacy

The introduction of GDPR certainly caused organisations in the European Union to sit up and take notice. Punitive fines and reputational damage should be a sufficient enough incentive for any business to implement strong compliance measures.

It would only be a matter of time, before non-EU countries would begin considering the need for stronger privacy controls for their citizens. The new California Consumer Privacy Act is a strong indicator of stricter privacy laws propogating across the entire world.

The state of California is often considered to be a trend-setter in the U.S. However, the California Consumer Privacy Act is seen by some as a hectic response to avoid a much stricter ballot measure to be proposed and voted on.

The question is, could CCPA be used as a potential ‘cookie-cutter’ solution for other states to adapt and apply?

LATEST: CCPA amendments signed into law

On September 23, three months after CCPA was introduced, California’s Governor Jerry Brown signed SB 1121 into law. SB 1121 modifies the California Consumer Privacy Act which was passed in June this year. SB 1121 leaves the Act mostly intact, but it brings clarity to certain aspects of the CCPA.

New enforcement date for CCPA

The California Consumer Privacy Act is not due to become law until January 1, 2020. However, SB 1121 states that the California Attorney General cannot enforce the Act until six months after publishing regulations pursuant to the Act, or July 1, 2020, whichever is sooner. The likely extension of the enforcement date should give companies more time to comply with the requirements of the Act.

Private Right of Action

SB 1121 clarifies that the only consumer private right of action permitted under the Act is for data breaches. Additionally, SB 1121 removes both the requirement that; a consumer bringing a private right of action notify the California Attorney General, and the Attorney General’s ability to prohibit a consumer private right of action.

SB 1121 still prohibits consumers from initiating an action against a business within 30 days after they have notified that business of any violations they have detected.

Consumers Right to Deletion

The CCPA previously required that a consumer’s right to deletion of personal information be disclosed in businesses’ online policies. SB 1121 modified this requirement by allowing businesses the flexibility to disclose the right to deletion in a form accessible to consumers.

Penalties

SB 1121 differentiates between penalties for intentional violations of the Act and nonintentional violations of the Act. Each intentional violation will receive a penalty of up to $7,500 for each record, while nonintenmtional violations involve a fine of up to $2,500 per record. This could mean severely punitive fines for violations involving for example, 100,000 records. Do the maths.

Sources & credits: Forbes, Washington Post

IMPORTANT: This article provides general information only and does not constitute legal advice. Individual circumstances may differ significantly. Contact The GDPR Guys for clarification and more information.