The California Consumer Privacy Act of 2018 (CCPA) applies to businesses operating in California. The Act became effective at the beginning of 2020. The law focuses on protecting consumer data. This law applies to every large enterprise. According to this Act, as a business, you should allow consumer requests to access their information in your database.
Which Businesses Must Comply With CCPA?
Organizations that are required to comply with the regulations of CCPA include:
- For-profit businesses
- Business operating in California
- Businesses that collect personal information from California residents
- Businesses that collect over $25 million in annual gross revenue
- A business whose large share of yearly revenue is generated from selling consumers’ personal information
Which Businesses Are Exempt From CCPA?
Some of the businesses that are exempt from CCPA include small businesses that do not process a lot of personal data from consumers. Non-profit businesses of all sizes are also exempt from CCPA. Exceptions also include for profit businesses that do not operate in California or do not deal with Californians and businesses that do not have sales of over $25 million in yearly gross revenues.
What Are The Penalties For Non-Compliance?
Failing to comply with the California Consumer Privacy Act of 2018 can lead to serious penalties. The penalties may be monetary fines as a fee for the attorney general’s enforcement of the law to damages resulting from a consumer’s lawsuit. A consumer can sue you if their personal information is subject to disclosure, theft, or unauthorized access.
A consumer must prove that a business did not implement reasonable security measures to prevent a breach of their personal data. Some of the statutory damages a consumer may be awarded include $100-$750 for each piece of personal data that has been compromised or injunctive relief.
CCPA Versus GDPR
The California Consumer Protection Act of 2018 is often likened to the European Union’s GDPR. This is because, like the GDPR, the CCPA protects consumers’ privacy by restricting how entities handle personal information. Both the CCPA and GDPR were the first laws of their kind in the U.S. and EU, respectively. In both cases, organizations that deal with personal data should disclose to their consumers what data they have and how they are using it.
While GDPR mainly regulates consumer data processing and has laws on collection and sales, CCPA only regulates the collection and sales of consumer data. Furthermore, GDPR regulations apply to all businesses operating within the European Union member countries regardless of the size of the organization. On the other hand, CCPA applies to businesses that meet specific criteria. For example, it applies to profit businesses operating in California or dealing with data from California residents. These regulations also apply to businesses with more than $25 million in yearly revenues.
Both CCPA and GDPR regulations require businesses to inform consumers up-front why they are collecting their personal information and what they intend to do with it. Another distinction between GDPR and CCPA is that GDPR allows data owners the right to correct any mistakes in their personal information that EU businesses have processed. CCPA does not have this right. Finally, both GDPR and CCPA allow data owners the right to be compensated for damages arising from an infringement of their regulations.
New CCPA Regulations
In March this year, the CCPA published new regulations on how businesses can communicate their privacy options. These regulations rule out “dark patterns” that blind-sight consumer’s from opting out of the sale of their personal information. The regulations prohibit businesses from confusing consumers with ambiguous language or explaining to them multiple reasons why they should not reject sharing their personal information. Businesses should also use an optional blue icon to highlight the privacy choices to consumers.
The California Privacy Rights Act (CPRA), which was passed towards the end of last year, will change some of the duties of the Attorney General under the CCPA to the California Privacy Protection Agency. The CPRA will be effective from 2023. From July 1, 2020, the office of the Attorney General issued “Notices to Cure” to many companies conducting business in California to update their policies to meet the new CCPA regulations. If your business receives this notice, take action because it only gives you a 30-day ultimatum to resolve the issue. To be on the safe side, consult your lawyer to determine the best course of action.
If you run a business in California or transact business with California residents, you should ensure you comply with CCPA regulations. This will prevent your business from attracting heavy fines and being sued by consumers. Consult a lawyer for guidance on how to abide by CCPA regulations and understand the implications of failing to comply with these laws.