California Consumer Privacy Act (CCPA) may not burden security as much as GDPR but its details are subject to change.
In 2018, California passed a consumer privacy act that had major repercussions on the US companies than the European union’s General Data Protection Regulation. Though the California law did not have some of GDPR’s most onerous requirements like a narrow 72 hour window where a company must report a breach, it however goes even farther. CCPA regulations take a broader view than GDPR when it comes to the constitution of private data.
Table of Contents
What is CCPA?
The California Consumer Privacy Act (CCPA) allows any California consumer to demand and see all the personal information that a company has saved on them. It even offers the right to see the full list of third parties that data is shared with.
Apart from this, CCPA also lets consumers sue the companies that violate any of the privacy guidelines, even if there is no breach.
Which companies are affected by CCPA?
Every company that serves California residents and has an annual revenue of at least $25 million complies with the law. Other than this, all those companies that the at least 50,000 people personal data or collect more than half of their revenues by selling such personal data also fall under the same law. It is not necessary for a company to be based in California or have their physical presence to fall under the law. They don’t even have to be based in the US for that matter.
The CCPA personal data law is only non applicable for insurance institutions, agents, and support organizations as per the amendment made in April. This is also because these companies are subject to similar regulations under California’s Insurance Information and Privacy Protection Act.
What happens if my company is not in compliance with the CCPA?
Generally companies get 30 days to comply with the CCPA regulations after they are notified of a violation. In case the issue isn’t resolved within 30 days, the company can be fined up to $7500 per record. And for breach, the fine keeps on increasing. Also, while the bill was made it was passed within a week. Due to this, many believe that CCPA will probably see some amendments like fine amounts.
Another potential financial risk in the bill is when individuals’ rights are sued. If a customer gives written notice to a company with his privacy rights being violated, the company gets a 30 days window to cure this.
In general, CCPA compliance protection is similar to GDPR in many ways. If a company is complying with the GDPR, then its most of the way there for CCPA.
What data does CCPA cover?
The CCPA law takes a broader approach to the sensitive data than the GDPR. Here is what all it covers.
- As per CCPA, the real name, postal address, online identifier IP address, email account, driver’s license number, passport number, account name, or any such identifiers is considered as personal information.
- CCPA also covers the characteristics of protected classifications under California law.
- Biometric information
- Commercial information like records of products or services purchased.
- Geolocation data
- Professional or employment information
- Education information
- California online privacy protection act compliance also covers internet or other electronic network activity information.
The CCPA bill was put together in a week as legislators wanted to avoid any initiative highlighting even stricter laws that were opposed by various tech companies. The only idea was to define a framework in California where consumers are paid for sharing their data.
