News/Trends

The California Consumer Privacy Act (CCPA): What You Need To Know

December 11, 2019 Elizabeth Schweyen

The California Consumer Privacy Act (CCPA) becomes effective on Jan 1, 2020. As a company focused on storing data, we thought we would share some of our insights on this new law.

What is the CCPA about? 

The CCPA is designed to help consumers manage the usage of personal information collected and shared by businesses. The CCPA fact sheet outlines the the rights of California consumers to know, delete and opt-out, and also outlines rights to non-discrimination. Specifically:

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information
  • The right to delete personal information held by businesses and by extension, a business’s service provider
  • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

Who does CCPA apply to?

The CCPA applies to companies that meet any of the criteria of a) having gross annual revenues in excess of $25 million, or b) buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices, or c) derives 50 percent or more of annual revenues from selling consumers’ personal information.

What is considered “Personal Information”?

The new CCPA law expands the definition of personal information, expands the definition of “sale” of personal information, and allows consumers to sue businesses for any breaches of unencrypted personal information.

There are some differences between the CCPA and the previous definitions of what should be covered under privacy regulations. For example, most privacy laws are limiting personal information to information that can identify a specific individual. The typical data points would include a name, address, telephone number, SSN. Also, a combination of data points could be considered personal information, if it results in identifying a specific person. For example, if there is only one IT specialist with a nose ring that works at Druva, then these three data points constitute personal information.

CCPA, on the other hand, expanded the definition of personal information to include data points that won’t lead to identifying anyone in particular. Some of the items that CCPA covers are product purchase history, inferences about consumers based on their purchasing behaviors or social media activity, internet or network activities, and information about the entire household.

Financial impact of CCPA for businesses

One of the most important aspects of CCPA is the ability of individuals to sue businesses if their unencrypted personal information is subject to unauthorized access, theft, or disclosure (in other words a data breach). They may sue for statutory damages ranging between $100-750/ consumer per incident and any additional damages (direct financial and consequential such as reputational damages). In addition, the Attorney General can penalize businesses for up to $7,500 for each intentional violation. This means that a company that does not follow security and privacy standards as stated in CCPA may be subject to significant liability both from litigation and from regulators.

A broader definition of “sale” of personal data

Finally, CCPA redefines how businesses are able to exchange data with their third party partners as it expands the meaning of “sale” and provides California residents the ability to opt-out of the sale of their data. In this context, the exchange of data does not require a monetary payment for it to be considered a “sale”. Under CCPA, a sale of data means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. If a business is exchanging data with a 3rd party for any value, outside of providing the contracted service, they will likely have to provide consumers with an option to opt-out of the sale of data on their website.

CCPA is similar to GDPR, but not the same

CCPA is commonly referred to as the California’s version of GDPR. It is true that CCPA is the most comprehensive US privacy law to date and does have some similarities with GDPR. Examples of this would be individual rights to request information, access, and deletion of personal information collected by businesses about them. There are also similar requirements around transparency of companies’ data practices, individual right of action against companies, and hefty fines associated with failure to comply. While the general themes are similar and impact is expected to be global, CCPA and GDPR vary in many important details.

  1. GDPR is a regulation that extends protection to anybody within the European Union, regardless of citizenship. Additionally, it only states a minimum requirement. Individual countries in the EU have their own laws that can be (and many times are) more restrictive. CCPA is applicable to CA data only. it specifically excludes any data that is already covered by a federal law, such as HIPAA or GLBA.
  2. GDPR applies to any business that offers goods or services to, or monitor the behaviour of, EU data subjects. CCPA only applies to businesses that generate annual gross revenue over $25M and/or deal with more than 50,000 consumers and/or derive 50% or more of its revenues from selling consumers’ personal information.
  3. GDPR can fine a company based on its global revenue, while CCPA sticks to statutory damages and individual’s damages depending on the violation.
  4. GDPR has a number of restrictions around data transfers outside of EEA. CCPA does not include any limitations on data transfers outside of California.

There are many more differences and nuances. For organizations that are working through their compliance preparation it is important to understand all of the variations.

As the leader in Data Management as a Service, Druva is committed to data privacy, data security, and transparency. To learn how Druva supports GDPR and CCPA Compliance, read more here: https://www.druva.com/solutions/gdpr/. To learn more about Druva and privacy compliance: https://www.druva.com/about/compliance/