Welcome to 2020.
As you probably know, data privacy is a big deal these days. And on January 1—New Year's Day—the California Consumer Privacy Act (CCPA) came into effect.
Many view CCPA as the strictest data privacy law to date in the United States. The act was created in response to the never-ending stream of large-scale data breaches and the frequent misuse of customer data, including the Cambridge Analytica debacle that resulted in the unauthorized usage of personal data belonging to tens of millions of people.
Who's Affected by the CCPA?
The CCPA applies to businesses with more than $25 million in annual revenues, entities that process personal information of 50,000 or more people annually, and organizations that earn 50% or more of their annual revenue from selling California residents' personal information.
CCPA attempts to put more power in the hands of California consumers by giving them certain rights in terms of how companies process their personal information, including:
- The right to know what personal information a business collects, uses, shares, and sells
- The right to delete personal information on file with a covered company
- The right to opt-out of the sale of personal information
- The right to non-discrimination in pricing or services when consumers exercise their rights under CCPA
The act comes with teeth in the form of statutory damages, which range from $100 to $750 per consumer, per incident. CCPA also provides consumers with the right to pursue private action for data breaches, meaning they can sue a business for statutory damages when it fails to prevent unauthorized access, disclosure, or theft of personal information.
Furthermore, beyond the statutory damages, the maximum penalty for a CCPA infraction is $7,500 for intentional violations and $2,500 for those deemed unintentional.
Will the CCPA Change Behavior?
While the CCPA appears to signal a significant shift in the data privacy compliance landscape, critics question whether the California Attorney General's Office possesses sufficient resources to enforce the act and bring about a meaningful and sustained change in how covered businesses treat personal data.
So far, anecdotally, compliance by businesses subject to CCPA suggests many either see the threat of enforcement as remote or insufficient to justify changes in their current business practices, or they fail to understand the act's finer points, resulting in inaction.
Nonetheless, examples such as Microsoft's decision to expand the new rights the act describes to all users (not just those in California) may indicate how other large corporations will eventually comply with CCPA.
In fact, in the run up to CCPA becoming law, Facebook and Google expressed preference for a federal data privacy law that would negate the need for individual states to adopt their own versions of CCPA. Around 20 states are currently considering such laws, and nine other states have already passed new data privacy laws.
According to some data privacy experts, it's just a matter of time before we see a federal data privacy law similar to the General Data Protection Regulation (GDPR) that covers the European Union.
The California Attorney General's Office is set to begin enforcing CCPA in July. Not until then will we see how aggressively it intends to do so. Regardless, businesses can expect that data privacy practices must change to satisfy the growing number of both federal and state laws designed to protect consumer data wherever it resides.