What is CCPA?

In late June 2018, California passed a consumer privacy act, AB 375, that might have more repercussions on U.S. companies than the European Union’s General Data Protection Regulation (GDPR) that went into the impact this past spring. The California law doesn't have a few of GDPR's most burdensome requirements, such as the limit 72-hour window in which a company must report a breach. In other regards, however, it goes even farther.

The California Customer Security Act (CCPA) takes a broader view than the GDPR of what constitutes private information. The challenge for security, then, is to find and secure that private information.

AB 375 allows any California buyer to demand to see all the data a company has saved on them, as well as a full list of all the third parties that data is shared with. In expansion, the California law permits customers to sue companies in case the protection rules are violated, even in case there's no breach.

Which companies does the CCPA affect?

  • All companies that serve California residents and have at least $25 million in yearly income must comply with the law. 
  • In addition, companies of any size that have personal information on at least 50,000 individuals or that collect more than half of their revenues from the sale of personal data, also drop under the law. 
  • Companies do not have to be based in California or have a physical presence there to fall under the law. They do not even have to be be based in the United States.
  • An amendment made in April exempts “insurance institutions, agents, and support organizations” as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).

When does my company need to comply with the CCPA?

The law goes into impact on January 1, 2020. As a viable matter, companies got to have their information tracking systems in place by the beginning of 2019, since it gives shoppers the right to ask all the data a company has collected on them over the past 12 months. That's a really tight timeframe.

What happens if my company is not in compliance with the CCPA?

  • Companies have 30 days to comply with the law once regulators inform them of an infringement. In case the issue isn't settled, there's a fine of up to $7,500 per record.

What data does the CCPA cover?

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, mail address, account name, Social Security number, driver’s license number, passport number, or other comparative identifiers
  • Commercial data including records of personal property, products or services purchased, gotten or considered, or other purchasing or consuming histories or tendencies
  • Biometric information
  • Internet or other electronic network activity information including, but not constrained to, browsing history, search history and data with respect to a consumer’s interaction with the website, application or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory or similar information
  • Professional or employment-related information
  • Education information

Wrapping up

The bill was put together in just seven days because legislators wanted to avoid a ballot activity to pass an even stricter law that was restricted by numerous tech companies. Right at this moment, many of the provisions and definitions are ambiguous. 

It seems California is keen to work for consumers by defining a framework that confirms their rights to getting paid for data they would share.