At Listrak, we’re committed to the success of our clients, which is why it is imperative to understand the California Consumer Privacy Act (CCPA).
CCPA: What is it?
You’re no doubt familiar with the General Data Protection Regulation (GDPR) from the European Union. Following the passage of GDPR in May 2018, several states in the U.S. have proposed their own version of data protection laws that provide similar consumer rights as GDPR. But by far, the most comprehensive – and toughest – is the California Consumer Privacy Act, passed in June 2018. The CCPA goes into effect on January 1, 2020.
Who is Affected?
According to the CCPA website, the Act impacts for-profit businesses that process the data of California residents and that meet one of the following criteria:
- Annual revenue of more than $25 million;
- Process the personal information (PI) of 50,000 or more California residents annually; or
- Derive 50% or more of their annual revenue from selling the PI of California residents.
How is the CCPA similar to – and different from – GDPR?
Like GDPR, the Act provides certain rights to consumers, including “Right to Know,” “Right to Opt-Out,” “Right to Access” and “Right to Deletion.” The CCPA also takes a rather far-reaching approach to what it regards as personal data, defining it as, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (whew!).
However, unlike GDPR, CCPA requires an opt-out link on a company’s website, allowing consumers the choice to opt-out of third-party data sales. It also expands (and we mean expands) the definition of PI, requiring significant changes in how companies operate, extending the definition into other information such as audio, electronic, visual, thermal, Internet or other electronic network activity, geolocation, and much, much more.
A consumer can also bring a private right of action (READ: sue) a business for a data breach. There are also punitive features for violations of CCPA, allowing for penalties to be imposed by the California Attorney General of up to $7,500 per violation – and no maximum cap.
The CCPA is indicative of a trend toward consumer demand for stronger privacy protections. But there is good news: if you’ve taken the steps to comply with GDPR, you’re most likely already in compliance with a good number of the CCPA provisions. However, we recommend that you speak with your legal counsel and conduct a thorough audit of your data collection practices to understand whether the Act applies to you, and if you need to make changes.