California Consumer Privacy Act: Part 2 ~ New Rights = New Responsibilities
Continuing with our overview of the California Consumer Privacy Act (CCPA), we examine the influence of the European Union’s General Data Protection Regulation (GDPR), and its role in shaping California’s new consumer privacy laws.
As a result of the GDPR, which came into effect on May 25, 2018, EU residents have been given new legal rights over and above the previous rights provided by the Data Protection Act, regarding their Personal Information.
The data privacy rights of EU citizens now include the right to:
access their personal data;
know what data you hold;
know what you do with their data;
correct their data if it is wrong;
object to certain automated processing of their data;
obtain a copy of the data you hold on them, in a portable format;
have all their data erased - including backup copies.
Not so long ago, both businesses and non-commercial organizations had free reign over our personal information and what they could do with it.
Data breaches and privacy abuse occurred daily, due to inadequate security and a general lack of respect for individuals’ personal details. Astonishingly, very few companies were ever called to account over their actions. Early ‘Data protection’ laws were simply not tough enough to remedy the many cases of personal embarrassment, unfair treatment, fraudulent transactions and identity theft.
Of course, there is little or no reduction in the numbers of such incidents. However, companies are now being forced to pull back on their data processing practices and give individuals greater much control of what happens with their personal information.
As mentioned in Part 1 of this article, The CCPA is expected to come into effect on January 1, 2020, giving individuals appropriate safeguards in the connected world.
At this time, there is no federal privacy law in the United States, although in September 2018, the National Telecommunications and Information Administration (NTIA) invited public comments on its proposed approach to consumer privacy. (see our article titled “NTIA Consumer Privacy Strategy ~ Proposed Approach”.
Therefore, the CCPA is being heralded as a huge step forward in the creation of safeguards for consumers who engage in transactions with businesses, whether by the sale of personal information, or the exchange of data for a service. Further amendments are expected before the CCPA finally becomes law, the last update having been published in October 2018.
The GDPR and CCPA both provide an individual with the legal right to ask a company to cease sharing or selling their Personal Information. However, the difference is that the GDPR requires explicit consent from the consumer to collect their data. Currently there is with no such requirement under the CCPA.
This means that current U.S. legislation continues to allow businesses to collect Personally Identifiable Information (PII) unhindered, and consumers are given a choice of whether the organization can sell what it has gathered, after the event. The CCPA achieves this by requiring companies to include a “Do not sell my personal information” link on their website.
So, although the CCPA allows businesses to collect information without the explicit consent of the consumer, just like the GDPR, it does provide individuals with the right to request that all their data be deleted.
Financial penalties under the CCPA typically incur fines of between $2,500 and $7,500. The amount fundamentally depends on the type of violation that occurred. At this time, there is no upper limit to the number of violations, and consequential fines that can be imposed.
The GDPR administers financial penalties through an appointed data protection authority, namely, the Information Commissioner’s Office (ICO) located in the UK. The CCPA processes complaints and any resulting fines via the Attorney General of California.
As with the GDPR, once the Attorney General has been officially notified of a violation, companies have 30 days in which to respond by resolving the issue and bringing their processes into compliance, thus avoiding penalties. However, in cases involving a significant data breach, this can be a daunting task.
The requirement for increased disclosure represents a large part of compliance with the CCPA. Businesses that are subject to the CCPA must clearly and proactively explain privacy notices to consumers, whenever Personal Information is being collected and processed. This includes ensuring that consumers are made aware of their rights under the CCPA, the categories of Personal Information being collected, and how that Personal Information is used. Companies also must explain the categories of Personal Information the business sells or shares with third parties. Such disclosures must be updated every 12 months.
Private right of Action
The EU’s GDPR opened the floodgates to a torrent of litigation, with action being taken against companies not only in Europe, but also in the U.S. The CCPA will undoubtably follow suit, with penalties being imposed on out-of-state companies, as well as California-based businesses.
The CCPA provides consumers with a private right of action, if their Personal Information is:
“subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.”
Consumers have the right to file an individual or class action lawsuit and can recover statutory damages of between $100 to $750 per incident, or, in some cases, actual damages. The CCPA also allows consumers to seek injunctive and other forms of relief and sets out various procedures for actions seeking actual damages, as opposed to statutory damages.
Preparation for CCPA
The CCPA has already been amended once, in October 2018. It is expected to undergo additional updates before taking effect in January 2020. However, businesses need to start preparing sooner, rather than later.
Clear and concise privacy notices, policies, procedures and other T’s & C’s will need to be updated before the CCPA comes into effect. As a bare minimum, companies should begin mapping and documenting the Personal Information they collect, as well as the locations where personal data is stored. This will at least enable them to comply with any information request under the CCPA.