The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code.[2] Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.[3][4]
California Consumer Privacy Act | |
---|---|
California State Legislature | |
Full name | California Consumer Privacy Act of 2018[1] |
Introduced | January 3, 2018 |
Signed into law | June 28, 2018 |
Governor | Jerry Brown |
Code | California Civil Code |
Section | 1798.100 |
Resolution | AB-375 (2017–2018 Session) |
Website | Assembly Bill No. 375 |
Status: Current legislation |
Amendments to the CCPA, in the form of Senate Bill 1121, were passed on September 13, 2018.[5][6] Additional substantive amendments were signed into law on October 11, 2019.[7] The CCPA became effective on January 1, 2020.[8] In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act, which amends and expands the CCPA.[9]
Intentions of the Act
The intentions of the Act are to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.[10]
- Not be discriminated against for exercising their privacy rights.
Compliance
The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, which does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
- Earns more than half of its annual revenue from selling consumers' personal information.[11][12]
Organizations are required to "implement and maintain reasonable security procedures and practices"[13] in protecting consumer data.
Responsibility and accountability
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes (Cal. Civ. Code § 1798.120(c)).
- “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident's personal information (Cal. Civ. Code § 1798.135(a)(1)).[14]
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number (Cal. Civ. Code § 1798.130(a)).[15]
- Update privacy policies with newly required information, including a description of California residents' rights (Cal. Civ. Code § 1798.135(a)(2)).[16]
- Avoid requesting opt-in consent for 12 months after a California resident opts out (Cal. Civ. Code § 1798.135(a)(5)).[17]
Sanctions and remedies
The following sanctions and remedies can be imposed:
- Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents (Cal. Civ. Code § 1798.135(c).[5]
- Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General's Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).[5]
- A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).[5]
- Privacy notices must be accessible and have alternative format access clearly called out.[18]
- Liability may also apply in respect of businesses in overseas countries who ship items into California.[19]
Definition of personal data
CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, license plate number, passport number, or other similar identifiers.[2]
An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.[20]
It does not consider Publicly Available Information as personal.[21]
Key differences between CCPA and the European Union's General Data Protection Regulation (GDPR) include the scope and territorial reach of each, definitions related to protected information, levels of specificity, and an opt-out right for sales of personal information.[22] CCPA differs in definition of personal information from GDPR as in some cases the CCPA only considers data that was provided by a consumer. The GDPR does not make that distinction and covers all personal data regardless of source. In the event of sensitive personal information, this does not apply if the information was manifestly made public by the data subject themselves, following the exception under Art.9(2),e). As such, the definition in GDPR is much broader than defined in the CCPA.[23][24]
Personal data could also include online or social media profile information. Personal data is not limited to a number or a physical document, but can also be online identities, accounts, and other personal information.
History
The California Consumer Privacy Act of 2018 was originally proposed as a ballot proposition by a privacy group known as Californians for Consumer Privacy.[25] The California DOJ approved the initiative's official language on December 18, 2017, allowing the group to begin collecting signatures.[26] In June 2018, the proponents gathered enough signatures to qualify the CCPA initiative for the November 2018 election.[27] In California, the state legislature cannot repeal or amend a ballot proposition once it is passed by voters.[28] In response to the CCPA ballot proposition, state legislators negotiated with Californians for Consumer Privacy to pass a less restrictive version of the CCPA in exchange for the withdrawal of the ballot proposition.[29]
The CCPA was passed by the state legislature and signed by Gov. Brown on June 28, 2018; it became effective on January 1, 2020.[30][31] The act's effect was dependent upon the withdrawal of initiative 17–0039, the Consumer Right to Privacy Act.[32] Five amendments were enacted and signed by Gov. Newsom on October 11, 2019.[33] Notice of DOJ's proposed regulations was also published October 11 in the Z Register; As of January 10, 2020[update] the OAL had not yet filed the final regulations with the Secretary of State, as required for the regulations to become effective.[33][34]
2020 California Proposition 24 proposed several changes to the CCPA.[35] The proposition, also called the California Privacy Rights Act of 2020, expands existing data privacy laws by allowing consumers greater control of their personal data and establishing a new privacy protection agency.[36] It passed, with a majority of voters approving the measure.[37]
Exemptions
- Personal Health Information
- Financial information
A big area of the CCPA exemption is the personal health information (PHI) that is gathered.[38] Rather than the data being treated with the CCPA guidelines in mind, it is expected for PHI to adhere to the Health Insurance Portability and Accountability Act, otherwise known as HIPAA.[38] If the business collecting the data is related to clinical trials, then it must adhere to the "Common Rule".[39]
As for the information that is gathered by financial institutions, the institutions follow the California Financial Information Privacy act or the Gramm-Leach-Bliley Act depending on the situation.[38][40]
See also
- Consumer protection
- General Data Protection Regulation
- Information privacy
- The Sedona Conference Commentary on a Reasonable Security Test
References
- ^ "AB-375, Chau. Privacy: personal information: businesses". California State Legislature. Retrieved 19 November 2018.
- ^ a b The California Consumer Privacy Act of 2018.
- ^ Lapowsky, Issie (June 28, 2018). "California Unanimously Passes Historic Privacy Bill". Wired.com. Retrieved September 17, 2019.
- ^ "Bill Text - AB-375 Privacy: personal information: businesses". Leginfo.legislature.ca.gov. Retrieved 27 November 2018.
- ^ a b c d "Bill Text - SB-1121 California Consumer Privacy Act of 2018". leginfo.legislature.ca.gov. Retrieved 2019-01-30.
- ^ "How the new California data privacy act could impact all organizations". Information Management. Retrieved 2019-01-30.
- ^ "Governor Newsom Issues Legislative Update 10.11.19". Retrieved 2019-11-08.
- ^ "2019 is the Year of . . . CCPA? [Infographic]". The National Law Review. January 8, 2019. Retrieved 2019-01-30.
- ^ "Move Over, CCPA: The California Privacy Rights Act Gets the Spotlight Now". news.bloomberglaw.com. Retrieved 2020-12-10.
- ^ Senate Bill No. 1120, Chapter 735, Sec.2, 1798.105
- ^ "California Consumer Privacy Act (CCPA) Fact Sheet" (PDF). State of California - Department of Justice - Office of the Attorney General. Retrieved 2020-03-25.
- ^ "CCPA Guide: Are You Covered by the CCPA". JD Supra. Retrieved 2019-01-30.
- ^ "TITLE 1.81.5. California Consumer Privacy Act of 2018 - CA Legislative Information".
- ^ "Control Your Personal Information | CA Consumer Privacy Act". caprivacy.org. Retrieved 2019-01-30.
- ^ Valetk, Harry A.; Hengesbaugh, Brian (December 18, 2018). "A Practical Guide to CCPA Readiness: Implementing Calif.'s New Privacy Law (Part 2)". Corporate Counsel. Retrieved 2019-01-30.
- ^ "Today's Law As Amended". leginfo.legislature.ca.gov. Retrieved 2019-01-30.
- ^ Captain, Sean (2018-07-02). "Here are 5 key details in California's new privacy law". Fast Company. Retrieved 2019-01-30.
- ^ "Federal accessibility laws don't matter — California's accessibility laws do". Medium.com. Retrieved 12 November 2018.
- ^ "How does the California Consumer Privacy Act apply to Australian businesses?". www.gladwinlegal.com.au. Retrieved 24 August 2020.
- ^ TITLE 1.81. CUSTOMER RECORDS[1798.80 - 1798.84] (Law DIVISION 3. OBLIGATIONS [1427 - 3273] e). California State Legislature. January 1, 2010. This article incorporates text from this source, which is in the public domain.
- ^ Privacy: personal information: businesses (Assembly Bill 1798.140/(o)(2)). California State Legislature. June 28, 2018.
- ^ "How to Prepare for the CCPA – Here Are the Resources You Need". CGOC The Council. 2019-10-06. Retrieved 2019-10-15.
- ^ Fielding, John (Feb 4, 2019). "Four differences between the GDPR and the CCPA". HelpNet Security.
- ^ "How to Prepare for the CCPA – Here Are the Resources You Need". CGOC. 2019-10-08. Retrieved 2019-10-08.
- ^ Wakabayashi, Daisuke (14 May 2018). "Silicon Valley Faces Regulatory Fight on Its Home Turf". The New York Times.
- ^ "Proposed Initiative Enters Circulation: Establishes New Consumer Privacy Rights; Expands Liability For Consumer Data Breaches" (Press release). California Secretary of State. 18 December 2017.
- ^ "The California Privacy Rights Act Has Passed: What's in It?". JD Supra. Retrieved 2020-12-10.
- ^ "Laws governing the initiative process in California". Ballotpedia. Retrieved 2020-12-10.
- ^ "California lawmakers agree to new consumer privacy rules that would avert showdown on the November ballot". Los Angeles Times. 2018-06-22. Retrieved 2020-12-10.
- ^ "California Unanimously Passes Historic Privacy Bill". Wired. ISSN 1059-1028. Retrieved 2020-12-10.
- ^ Stephens, John (2 July 2019). "California Consumer Privacy Act". Business and Corporate Litigation Committee Newsletter. American Bar Association.
- ^ Cohen, Rodgin; Evangelakos, John; Mousavi, Nader; Schwartz, Matthew; Friedlander, Nicole (23 July 2018). "Sullivan & Cromwell Discusses California Consumer Privacy Act of 2018". CLS Blue Sky Blog. Columbia Law School.
- ^ a b Das, Anjali; Ferrari, Stefanie (3 December 2019). "California Consumer Privacy Act Effective January 1: Update". The National Law Review.
- ^ Hutnik, Alysa Zeltzer; Townley, Katie; Khouryanna, DiPrima (23 October 2019). "CCPA Draft Regulations: What to Know About Timing and Process". Ad Law Access.
- ^ "California Proposition 24, Consumer Personal Information Law and Agency Initiative (2020)". Ballotpedia. Retrieved 2020-10-25.
- ^ "Text of Proposed Laws - Proposition 24" (PDF). California Secretary of State.
{{cite web}}
: CS1 maint: url-status (link) - ^ Hooks, Chris Nichols, Kris. "What We Know About California Proposition Results". www.capradio.org. Retrieved 2020-12-08.
{{cite web}}
: CS1 maint: multiple names: authors list (link) - ^ a b c "California Consumer Privacy Act FAQs for Covered Businesses". Jackson Lewis. 2019-10-10. Retrieved 2020-11-11.
- ^ "The California Consumer Privacy Act" (PDF).
- ^ "Codes Display Text". leginfo.legislature.ca.gov. Retrieved 2020-11-11.
Further reading
- Hautala, Laura (December 25, 2019). "CCPA: Everything you need to know about California's new privacy law". CNET. Retrieved December 31, 2019.
- Hautala, Laura (December 27, 2019). "New privacy laws like CCPA could be headed to your state". CNET. Retrieved December 31, 2019.
- Lapowsky, Issie (June 28, 2018). "California Unanimously Passes Historic Privacy Bill". Wired. ISSN 1059-1028.
- Lyons, Kim (December 31, 2019). "The CCPA goes into effect January 1 but still isn't quite finished". The Verge. Retrieved December 31, 2019.
- Morrison, Sara (December 30, 2019). "California's new privacy law, explained". Vox. Retrieved December 31, 2019.
- Stephens, John (July 2, 2019). "California Consumer Privacy Act". American Bar Association. Retrieved December 31, 2019.