The California Consumer Privacy Act (CCPA) was established to enhance the protections and rights of citizens within the state. Officially enforced since 1 January 2020, the CCPA is regarded as one of the United States' most stringent and progressive data protection laws in its history.
The act parallels many of the safeguards provided to EU residents under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 in the UK, aiming to increase individuals' control over their information and compel companies to be more transparent about their data processing practices. It also features much of the same terminology and concepts.
The CCPA Bill was passed and signed into US law on 28 June 2018 and has since been amended several times. By September 2019, the legislation had moved beyond the deadline for any actions to prevent its enactment, obligating organizations to implement changes in their data-handling practices starting in January 2020. In January 2024, California Attorney General Rob Bonta announced the introduction of the Children's Data Privacy Act, which would further amend CCPA to cover data collected about minors.
Like GDPR, the CCPA is designed to protect individuals' personal information, but the definitions of personal data and the requirements imposed on businesses and organizations are different. The most significant difference is that CCPA is an opt-out data privacy model, whereas GDPR explicitly requires individuals to give their permission for their data to be collected.
Businesses must clearly state what data they are collecting about a person and how it will be manipulated. Failure to comply can result in a fine of $7,500 per violation, with consumers entitled to $100 to $750 in damages for a data breach. Unlike GDPR, CCPA fines are also based on the number of data subjects affected by any individual violation.
Why was the California Consumer Privacy Act (CCPA) created?
Enhancing data protection rights has emerged as a significant concern for governments, digital rights groups, and citizens globally. Over the past decade, efforts have been made to strike a balance between strong data protections and well-designed regulations that enable companies to continue using data for commercial purposes.
However, the discovery of some of history's most severe data breaches and data abuses has put pressure on governments to act. Yahoo, Equifax, First American Bank, and Marriott International hacks have collectively affected many billions of customers within the last six years alone. The Cambridge Analytica scandal also highlighted unprecedented levels of negligence over user data; Facebook's practices allowed for the improper sharing of account data on millions of users to third-party companies without permission.
Note: At the time of writing, a bill to enact the American Privacy Rights Act of 2024 (APRA) is making its way through Congress. If enacted, it would represent the first ever federal law dealing with data privacy and security.
Given that the United States does not currently have a principal federal data protection regime, it has fallen to states to enact their own laws to protect citizens from the worst of these abuses, albeit locally.
In California, this urgency led to the introduction of the far tougher California Consumer Personal Information Disclosure and Sale Initiative, a bill initially proposed by advocacy groups to improve data rights in the state by banning some companies from sharing or selling personal data entirely. After discussions, however, the groups agreed to compromise by withdrawing the bill in favor of the more lenient but more practicable CCPA.
The scope of the California Consumer Privacy Act (CCPA)
The CCPA protects the data rights of all Californian residents, defined as permanent state residents.
Specifically, consumers have the right to know precisely what personal data companies are collecting about them and whether that data is being sold or disclosed to third parties. Consumers also have the right to opt out of the sale of their data, access the information held by companies about them, and request the deletion of this data.
In return, companies that collect this data are legally obligated to facilitate these rights and are prohibited from discriminating against consumers who choose to exercise them.
Consumers can make up to two data access requests yearly, limited to data collected and processed in the previous 12 months. However, there are no restrictions on requests for data deletion or requests to opt out of data sales.
The CCPA applies to any business entity that collects personal data from permanent California residents and conducts business in the state, including non-profits and charities. The business also need to meet one of the following criteria before the act applies:
- Annual gross revenue of $25 million or more
- Processes information on 50,000 or more consumers, households, or devices
- Earns more than half of its revenue from selling consumers' personal information
How is personal data defined under the California Consumer Privacy Act (CCPA)
Personal information under the CCPA is broadly defined to encompass "characteristics and behaviors, personal and commercial, as well as inferences drawn from this information".
This includes any data likely to identify, relate to, or describe an individual. Examples include:
- Names
- Aliases
- Addresses
- Email addresses
- Unique online identifiers
- IP addresses
- Account names
- Social security numbers
- Passport numbers
- Driver's license numbers
Specific categories outlined in the statute include biometric, location, financial, and household purchase data. A person's signature, physical characteristics, educational background, and employment history are also considered personal information.
It's crucial to note that the CCPA does not regulate collecting, processing, retaining, or selling anonymous or de-identified consumer data. However, businesses must demonstrate that data meeting a high threshold of anonymization is genuinely anonymous.
How to comply with the California Consumer Privacy Act (CCPA)
The CCPA introduces several requirements to enhance transparency in businesses' data processing practices.
Transparency requirements
Businesses must prominently display a clear privacy policy on their website detailing the collection of personal data and its processing under the CCPA's scrutiny.
Websites must provide a "Do Not Sell My Personal Information" link for consumers to opt out of having their data sold to third parties. Clear notifications of data rights and easy contact options for consumers to engage directly with the company, free of charge, must also be available.
Consumer Requests
Businesses must respond to specific consumer requests with details about how their data is processed, including the purposes, categories, and anticipated duration of processing. They must notify consumers before acquiring additional personal information or using existing data for new purposes.
Third parties purchasing personal information must inform consumers explicitly and provide opt-out opportunities before the sale.
Protection of Minors' Data
The CCPA prohibits selling personal information of minors under 16 without explicit consent. Children aged 13 to 16 can consent themselves, while parental consent is required for those under 13.
Execution of Data Requests
Businesses must have robust data processes to facilitate citizens' rights, such as access and deletion. They cannot pass on costs associated with data retrieval to consumers and must provide data access and related details in a portable format.
Businesses must delete data upon consumer request and ensure third parties comply with data deletion requirements.
Response Time and Limits
Businesses must respond to requests within 45 days. Consumers can make up to two data access requests per year, limited to data from the past 12 months. There are no restrictions on data deletion requests.
Non-Discrimination
Businesses are prohibited from discriminating against consumers who exercise their data rights.
These measures ensure businesses comply with CCPA regulations while safeguarding consumer data privacy and rights.
California Consumer Privacy Act (CCPA) fines and sanctions
The CCPA not only overhauls consumer data protections but also introduces far more brutal and potentially crippling fines for data misuse.
The act gives the Californian Attorney General the power to sanction companies found to be in breach of the CCPA up to $2,500 per unintentional violation.
Where it's clear that the violation was intentional, the business can be fined up to $7,500 per violation.
It's important to understand that the CCPA considers each consumer affected by a data breach to be a separate violation.
Each consumer affected has the right to bring a class-action lawsuit against the company to pay statutory damages between $100 and $750. Given that there is no cap on possible fines, the total penalties for a data breach could be enormous.
The first company to be fined under the CCPA was French retailer Sephora. The company was fined $1.2 million for not disclosing that it sold its customers' personal information to third parties.
Other notable fines include $85 million for Zoom. Less than a year after the CCPA came into effect, so-called 'zoombombing,' in which Zoom calls were hacked with inappropriate materials (such as pornography), illustrated how stringent the CCPA could be.
In 2024, DoorDash was fined $375,000 for breaches of the CCPA related to its use of consumer data across its mobile app food delivery service. Attorney General Rob Bonta said: "As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale … I hope today's settlement serves as a wakeup call to businesses".
California Consumer Privacy Act (CCPA) amendments
The CCPA has been part of Californian law since 2020. However, the legislation is in constant review. The most significant change proposed has been the extension of the CCPA to data collected from minors.
The Children's Data Privacy Act would extend the opt-in requirement for anyone between 13 and 18 years old. Any minor under 13 would require the consent of their parent or guardian. This amendment would also require that businesses have actual knowledge that the information they are selling is from a minor. Lastly, age verification is proposed to ensure enterprises know their customers' exact age. It's also suggested that the penalty level should be $5,000 per violation.
The bill, known as AB 1949, passed the California Assembly in May 2024.
The future for the California Consumer Privacy Act (CCPA)
There is little doubt that regulations like CCPA, GDPR, and the UK's Data Protection Act will all need to change as the data landscape evolves. Currently, all eyes are on AI and how it will impact personal data and how businesses and organizations use it.
The CCPA looks set to expand its remit to smaller enterprises, as larger businesses only fall under its current definitions. There might be enhancements to consumer rights under the CCPA. This could include further empowering consumers with more control over their data, additional rights to data portability, or broader rights to opt out of data processing activities.
With a bill to enact the American Privacy Rights Act of 2024 (APRA) making its way through Congress, a federal privacy legislation in the United States may soon be a reality. If federal legislation is enacted, it could impact the CCPA by either superseding it or harmonizing it with national standards.
Overall, the future development of the CCPA will likely be influenced by ongoing discussions on data privacy, technological advancements, legal challenges, and the evolving landscape of data protection both within California and at the federal level in the United States.
