Data Privacy law coming to California in 2020

Data privacy, specifically as it pertains to our lives online, has been a staple topic of discussion particularly since the General Data Protection Regulation (GDPR) went into effect in the European Union in 2018. The United States is now poised to see a similar, albeit different regulation for the state of California. 

What is the California Consumer Privacy Act? 

The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and enforcement for it will begin on January 1st, 2020.

The CCPA applies to all residents of California, providing them with the following:

  • The right to know what personal data is being collected;
  • The right to access their personal data;
  • The right to know whether this data is sold or disclosed, and to whom;
  • The right to opt out of the sale of personal data;
  • The right to equal service and prices, even if they exercise privacy rights.

Essentially, this bill grants the average person more control over the information that companies may collect on them, and it protects them from being denied service if they choose to exercise privacy rights. 

Important to note is the way the CCPA defines “personal information”, which is as follows:

“Information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”

Another significant detail to be aware of is that the CCPA does not consider Publicly Available Information to be personal information that is protected under the bill.

Who does the CCPA apply to?

  • Any business or for-profit entity that collects consumers’ personal data, which does business in California, and meets at least one of the three following thresholds:
    • Has annual gross revenues in excess of 25 million USD;
    • Possesses the personal information of more than 50,000 consumers, households, and devices; or
    • Earns more than half its annual revenue from selling consumer information

The words “digital privacy law” and “California” in the same sentence most likely conjure images of Silicon Valley companies. However, this regulation will most likely not be world changing for giants like Facebook and Google. This is due in part to GDPR-compliance, which makes it easier to comply with regulations like the CCPA. 

Some Similarities & Differences between the CCPA and GDPR

  • Similarities
    • Both regulations only protect natural persons (individuals) and not legal persons
    • Both require companies to demonstrate after a data breach that they took reasonable steps to protect that data from a breach
    • Both apply to organizations that might not have presence in their respective jurisdictions, but offer goods or services in the region 
  • Differences
    • CCPA
      • Requires companies to provide an opt-out to data sharing
      • Penalties are done on a per-violation fine basis
      • Does not cover certain categories of personal data (e.g. health information) because they are already covered under different US regulations, such as HIPAA.
      • Does not require organizations to hire data protection officers or conduct impact assessments
      • Protects a “consumer” who is “a natural person who is a California resident”
      • Obligations apply specifically to “businesses” that are for-profit, collect consumer personal information and meet certain qualifying thresholds as mentioned above
      • Also applies to any entity that controls or is controlled by the business in question. No obligations are directed specifically at “service providers”
    • GDPR
      • Requires companies to provide an opt-in to data sharing
      • Penalties focus on up to 4% of annual global revenue
      • Protects a “data subject” who is “an identified or identifiable natural person” – meaning that an individual does not specifically need EU residency or citizenship if the controller processing their data is located in the EU. If the controller is located outside the EU, the citizenship/residence condition applies
      • Obligations apply to “controllers”, which could be natural or legal persons in addition to business entities, whether the activity is for-profit or not
      • Obligations also apply to processors, which are entities that process personal data on behalf of controllers.

If you have any questions or comments about whether CCPA will impact you or your business, you can always reach out to our team at Centry for help by emailing info@centry.global!