On May 25, 2018, the European Union implemented a new privacy legislature called the General Data Protection Regulation or GDPR. This regulation updated European law to give EU citizens more control over their data as a result of the hyper-connected world we live in today. Then last June, California responded with its own bill called the California Consumer Privacy Act (CCPA). This bill, which goes into effect January 2020, broadens the scope of privacy rights for Californians, including data access rights and a limited private right of action. Essentially, the CCPA gives users the right to know just how companies are making money off of their data.
What are users’ new rights under the CCPA? First, businesses are required to reveal the personal data that is collected, sold, or disclosed for their business purposes. This includes informing users what categories of data were collected and how their data will be used. Second, companies are unable to discriminate against a consumer who exercises their rights under the CCPA. Third, businesses must provide users access to their data. Fourth, companies are required to delete users’ data upon request (with some significant exceptions). This includes personal data that the company might have shared with a third party. Lastly, businesses must provide the user with the ability to opt-out of the sale of their data.
That all sounds beneficial for privacy-conscious consumers, but how exactly does the CCPA define personal information? The CCPA defines personal information as any information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked with a particular consumer or household. Some examples of this type of data include a real name, user name, email address, Social Security Number, passport number, property records, biometric data, and internet activity like browsing history or IP addresses.
So, how will the CCPA be rolled out and what happens if a business violates the CCPA? Parts of this regulation will go into effect on January 1, 2020, but most will be enforced starting on July 1, 2020. According to the California legislature, if a business violates the CCPA and fails to fix the violations within 30 days, they are liable for a civil penalty. A company may be charged a maximum penalty of $2,500 per violation, or $7,500 per each intentional violation of the law that is not fixed within 30 days. If a company suffers a data breach resulting in the theft of personal information, they may be ordered to pay damages to the impacted California residents.
While California is the first large state to implement these privacy regulations in the U.S., it certainly won’t be the last. Other states have begun drafting similar bills and similar regulations will likely come into effect over the next few years; Congress also has some significant bills under consideration. As this legislation is rolled out, consumers need to be aware of their new rights to help them better protect their privacy.