A Look at the California Consumer Privacy Act
Are you a resident of California? Or are you a business owner whose business reaches consumers in California? If your answer to either of these questions is “yes,” then you should familiarize yourself with the California Consumer Privacy Act (“CCPA”). The CCPA is a new set of laws intended to enhance privacy rights and consumer protection for consumers in California. As more businesses rely on social media advertising, the CCPA and other privacy laws may affect you. Below is a breakdown of the most relevant parts of the CCPA.
Is the CCPA already law?
Yes, the CCPA took effect on January 1, 2020. The Act was passed by the California State Legislature and signed by the governor in 2018.
What is the CCPA and why does it matter?
The CCPA allows consumers to see all the personal information companies have collected on them, as well as a list of all the third parties that the companies have shared their data with. It also empowers consumers with the ability to either (1) force companies to delete their personal data, or (2) forbid the companies from sharing their data with third parties.
Additionally, the CCPA compels companies to take certain actions in order to facilitate consumer requests for information. For example, all covered companies are required to update their privacy policies with language that acknowledges the new rights afforded to consumers by the CCPA. Moreover, companies must provide at least two channels for receiving personal requests that include, at a minimum, a web page and a toll-free telephone number.
This marks an important shift in the battle over consumer data. In the past, consumers have been limited to retroactive remedies. For example, consumers were able to sue Target only after the company announced its consumer database was breached in 2013. Under the CCPA, however, consumers can take proactive steps to protect their data.
Are all companies covered by the CCPA?
No, the CCPA does not apply to every business; rather, it only covers large companies or those that retain a significant amount of consumer data. There are three types of companies that the Act explicitly covers: (1) companies with more than $25 million in gross revenue; (2) companies with data on more than 50,000 consumers; and (3) companies that make more than 50% of their revenue selling consumer data.
It is important to note, though, that the CCPA is not limited to California-based companies. Its scope extends to any company that does business in the state, whether online or in-person.
Which information is considered “personal”?
Obviously, your name, social security number, postal address, email, and phone number all constitute personal information. But, the CCPA goes beyond these usual identifiers by also requiring disclosure of the following: biometrics, internet browsing information, products purchased or considered for purchase, geolocation data, academic and employment information, and inferences drawn to create a profile about the individual to reflect preferences.
How is the CCPA enforced?
The CCPA includes a number of sanctions and remedies that can be imposed if a company violates its duties under the statute. Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages – whichever is greater. The companies can also be liable for any other relief a court deems proper. Finally, companies can be sanctioned with a fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation of the statute.
The CCPA is one of the first efforts by lawmakers to limit the control of consumer data by large companies. It will certainly not be the last. In the wake of several high-profile data breaches, the tide appears to have turned in favor of protecting consumer data, rather than commodifying it. Many other states have announced bills similar to the CCPA, and a federal online privacy bill was introduced in the House of Representatives on November 5, 2019.
For consumers such as yourself, the CCPA may provide you with an important tool to protect your personal data – especially your data on social media sites like Instagram. You must balance your goal of greater exposure with the need for privacy of your personal information. If your data is breached, your name and goodwill may be tarnished permanently.
Finally, for consumers who don’t reside in California, you should still familiarize yourself with the CCPA. Given the importance of the California market, many legal scholars believe the CCPA will have a national impact. Large companies will likely adopt universal privacy policies that conform with the CCPA, rather than restricting compliance to consumers of the Golden State.
* Charles Crane is an Associate Editor on the Michigan Technology Law Review.