If you closely follow matters cybersecurity and privacy, you are likely to have come across the California Consumer Privacy Act (CCPA).
CCPA is a comprehensive data privacy law that seeks to regulate how businesses handle personal information they collect from California residents.
This law was effected on 1st January 2020, becoming the first law of its kind in the U.S.
There is a similar regulation in Europe called the GDPR. This one provides data privacy protection for residents of the EU.
While the CCPA leaves out some seemingly measures contained in the GDPR, It does have a much broader view of what private data is, and has some strict protection guidelines as well.
Who Does It Apply to?
The CCPA applies to all businesses, irrespective of their location worldwide that:
- Sells, purchases, receives or shares personal information of 50,000 or more California residents yearly for commercial purposes. These can be household, devices or consumers.
- Has an annual gross income of above $25 million
- Makes over 50% of its revenue from selling personal data of California residents
What Is Sale of Personal Information?
Under the act, the sale of personal information is defined as ‘’selling, renting, disclosing, disseminating, making available, transferring or otherwise communicating orally or in writing, or by electronic, or other means, a customer’s personal information by the business to another business, or a third party for monetary or other valuable consideration’’. (1798.140.t1).
Further, if any company shares branding (including trademark, shared name and service mark) with any other business liable under CCPA, the company becomes subject to CCPA as well.
What Data Does the CCPA Cover?
Understanding the specific data the CCPA covers is crucial in ensuring compliance.
Here is what AB 375 considers to be personal information.
- Biometric information
- Identifiers, including postal address, real name, aliases, online identifier IP address, account name, email address, unique personal identifier, driver’s license number, social security number, passport number, among other similar identifiers
- Information touching on protected classifications under both federal and California law
- Commercial information like records of services and products purchased or considered and records of other personal property. This also includes consuming and purchasing histories and tendencies
- Internet and other electronic activity such as search history, information about a user’s interaction with a site, advertisement and applications and browsing history
- Geolocation information
- Information related to a user’s employment or profession
- Visual, thermal, audio, electronic and olfactory information
- Education information not in the public domain. This is defined in the Family Educational Rights and Privacy Act
- Any inferences that are drawn from the above to draw a customer profile that informs on their preferences, psychological trends, characteristics, preferences, behavior, intelligence, attitudes and abilities
What Does CCPA Mean for Online Security?
With CCPA, data security is front and center in that netizens must give consent before data collection. They also have the right to know before their information is accessed by third parties and where their information is stored.
There is also a requirement for companies to maintain and implement reasonable security. The specifics of this are, however, not clearly outlined as they are in the GDPR.
This notwithstanding, the act does provide clear penalty guidelines for cybersecurity violations. One of these is litigation.
Suppose a business suffers data hefts resulting from non-compliance. In that case, they can face a class action suit as well as penalties of up to $750 per California incident and resident or the actual damages, whichever is greater.
For website owners, it will now be necessary to implement changes to inform users at data collection points about the data to be collected and the purpose.