Earlier this year (25th May 2018 to be precise), we had the European Union’s GDPR, which in many terms is a milestone in the digital age. It gives the EU and the EEA citizens more transparency of why, how and where their information is being used. That at the same time gave out some major hiccups to many local and international businesses all over the world.
Now, following the footsteps of the European Parliament and Council of the European Union we have here a new regulation- “CCPA”. A law for California, to give Californians the ‘who, where, what, and when’ of how businesses handle consumers’ personal information. Many of you must have already heard of it by now.
So, let us now discuss the main elements of this new California Consumer Privacy Act of 2018.
Effective Date & Deadline for CCPA- The Californian GDPR:
AB 375 California privacy act, officially known as the California Consumer Privacy Act of 2018 will become effective from January 1st, 2020 onwards. This unanimous bill, signed by Jerry Brown, Governor of California was passed on June 28 2018, which initially started back in February 2017.
The 2018 California Consumer Privacy Act is in many angles like a ‘lite’ version of “EU’s General Data Protection Regulation” for Califonia. They have a very similar set of rules regarding the data classification, business rules, and tracking and to address consent and preferences of the Californians.
Consumer’s consent is necessary. Likewise, they may at any time opt out of the selling of their Personal Information from any business. The consent form and options must be understandable and precise. The cost of breaching this law is also staggering with a different amount of money with each rule violation. Furthermore, that may go up to $750 per consumer per incident or actual damages; whichever is greater. The act includes rules for the commercial websites asking for their consent.
The businesses may offer their users specific financial benefits in exchange for the individual’s consent to collect and process their Data and Information. Additionally, the act strictly prohibits them from discriminating against those who have not given their permission. The other significant difference is that in Europe, consumers must opt-in by providing consent affirmatively. Moreover, those who are under the age of sixteen do not need to opt-in. What is more is that they can opt-out of the sale of their information to third parties?
So, what happens if found CCPA Incompliant?
If you want to or already have any profit organisation that:
- Receive, buy or share for commercial purposes, or sell off any personal information of 50,000 or plus Californians, households, or devices
- Have an annual gross revenue greater than $25 million
- Derive 50% or plus of your annual revenue from selling consumers’ data or information.
- Share any branding with a qualifying “business” or controls/ is controlled by that business.
Then you will have to comply with all the CCPA rules and regulations. The law will hold companies accountable for any data or information breaches. If you own any website, you will ‘provide a clear and prominent link’ on the business web home page, saying “Do Not Sell My Personal Information,” that enables an individual to opt out of the sale of their personal info or any data. CCPA provides a limited private right of action for found data breaches. It allows consumers to sue them for up to $750 for each violation. Whereas, for each intentional privacy violation the attorney general of California can sue anyone for $7,500.
Well, this is the second regulatory announcement over the use of personal data of their respective citizens. But how much of an impact is this new regulation of California going to put on companies like Google, Target, Adidas, Facebook, Fitbit? Many such companies have had data breach experiences during the famous EU’s GDPR Movement.
Also, above all that, the question that arises between all of it is, is this “own digital privacy law” thing becoming a new trend? Furthermore, the other states may too opt for such regulatory measures. Still, with no doubt, these personal data rules and regulations are taking everyone by storm.