Introduction to the CCPA

N.B. This article is a transcript of TheGDPRGuy Podcast Episode 9 – Introduction to the CCPA from May 2019.

For many of you, the GDPR was the only game in town when it came to privacy and data protection. Hopefully you’ve been keeping an eye on ePrivacy rules too, along with all the other data regulations across the globe. But let’s be honest, the GDPR was where most attention has been focused.

But that’s now changed with the arrival of The California Consumer Privacy Act, the “CCPA”.

A quick tangent, and this is somewhat of an apology, I spend most of my time talking to Americans who say [Pry-Ver-See] rather than the British way of [Pri-Ver-See]. I used to say Privacy [Pri-Ver-See], (because that’s what the Queen would rightly say) but I now say both, which makes me weird. I can’t help it. So again, I apologise, but you’re just going to have to deal with it. Actually, that wasn’t much of an apology. Sorry.

So onto the CCPA…

Firstly, what is the CCPA?

The CCPA is California’s new privacy law which is set to go live on 1st January 2020. It’s a state law so it’s specific to California and is an attempt to tighten up rules on privacy and especially data sharing. Somewhat annoyingly, as of May 2019, with less than eight months before it goes live, the exact rules of the CCPA are still being discussed and adjusted with a number of proposed amendments still in flight. There’s three reasons why we still have changes going on, the first is that some of the wording within the CCPA is ambiguous (which most parties agree needs defining). The second reason is that many privacy activists find the CCPA too weak and want it made tighter. The third reason is the opposite, with many organisations arguing the CCPA is too restrictive to their business and want it made weaker in places. I’ll discuss a key CCPA amendment later on, and various other amendments another time.

High Level Summary

Here’s a high level summary of the content of the CCPA.

The CCPA applies to you if you’re doing business with Californian residents and you meet one of the following three criteria:

  • you buy, sell or share the personal information of 50,000 Californian residents or their devices for commercial purposes, or
  • your gross revenue is greater than $25 million, or
  • you derive at least 50% of your organisation’s annual revenue from sharing personal information of Californian residents

So that means that small businesses shouldn’t fall into scope of the CCPA and larger businesses probably will..

Two of the main components of the CCPA are transparency and control. Companies will have to clearly state what information they are collecting from consumers and who they are sharing it with. Consumers will also have the ability to opt out of certain types of data sharing, such as where a company sells your data to another. This requires companies to host a “Do Not Sell My Data” link on their website so that visitors can easily declare their intentions. Note that this is an opt out right, rather than opt in, so we still don’t have a privacy by default approach here, much to the disappointment of many a privacy activist.

The CCPA also states that organisations can’t discriminate against those consumers that exercise their rights, such as by charging them more or giving them a lower quality of service if they don’t wish their data to be sold on.

Consumers also have some new rights such as the ability to get a free right of access once per year. And rules around child data processing are also tightened, making compliance a bit messy when you put the CCPA alongside COPPA (America’s Children’s Online Privacy Protection Act) and the various ages of digital consent across the EU and the world.

Rules on security are also present with the usual requirement to have a reasonable level of security procedures and practices. Using the term “reasonable” sounds vague, but the GDPR is no better, with its use of the term “appropriate” for its own security requirements.

Enforcement

Compared to the GDPR, enforcement of the CCPA is more complicated, confusing and subject to ongoing change. But as of now, here are the details and I’ll try to keep it as simple as possible.

The CCPA’s equivalent to an EU regulator is California’s Attorney General, who can bring a civil action in the name of the people of California to enforce the CCPA. The CCPA also gives consumers a private right of action to seek damages in the case of data breaches.

Attorney General Enforcement

Starting with enforcement by the Attorney General, the headline fact is that civil penalties have a maximum of $7,500 per intentional violation. This doesn’t sound much, so let’s unpack this.

Firstly, what is a violation? At first glance you would expect it to be per event or investigation, like in the EU, such as a company have a data breach or unlawfully handling child data. But with a $7,500 fine attached to it, it would seem much more likely for a violation to be per consumer instance within that overall breach of compliance. There’s little incentive or funding for the Attorney General to be raising an action if the penalties are too small. Without definition or clarity right now, the working assumption, or at least the sensible assumption is that “per violation” would mean per consumer instance, whether that be within a large group of consumers or per individual that had their rights violated such as through mishandling of a single data access request. If a million customer records have been lost in a breach then a $7,500 fine per consumer is pretty serious.

Secondly, what is intentional? Remember I said that the $7,500 maximum fine was for intentional violations. The CCPA has two levels of fines for the Attorney General , a maximum of $7,500 for intentional violations and $2,500 for all others. So being able to prove what was intentional non-compliance will become very important.

And at this point, a huge curveball comes out of nowhere, in the name of the “30 day cure period” and makes things even more different to the GDPR. The CCPA has a rule that when the AG serves a violation notice on an organisation, 30 days grace is provided to get the violation fixed and potentially avoid any fines. So it could be argued that if the violation isn’t fixed within those 30 days, or a decent attempt isn’t made to at least try, then the Attorney General could infer that the violation was indeed intentional and so the maximum fine bracket applies. This 30 day cure period sounds a bit pro-business and anti-consumer, and as I’ll discuss shortly, this 30 day window could have disappeared completely.

Consumer Action

So that covered what the Attorney General can do, but what about consumers themselves? The CCPA allows consumers to launch lawsuits when a data breach occurs. This would be for statutory damages of between $100 and $750 per consumer per incident, or for actual damages, whichever is greater. The scope of this is as you would expect, applying to identifiable information subject to unauthorised access as a result of poor security. And this was all subject to that 30 day cure period.


[N.B. 16th May 2019, SB 561 failed to be approved, so this section about the SB 561 can be ignored. More details at
https://consent.guide/ccpa-sb-561/ ]

But along came a big amendment, named Senate Bill 561, or SB 561 for short, which widens the private right of action dramatically. SB 561 makes some big changes. It makes the private right of action for consumers be applicable to any violation of the CCPA, not just for data breaches as it originally was. And consumers don’t need to show harm. It also removes the 30 day cure period from claims made by the Attorney General. For organisations seeking to comply with the CCPA I’d argue that SB 561 doesn’t fundamentally change the rules. But it does increase the risk of non-compliance and does remove the, “sorry we screwed up, we’ve fixed it now” period which some would have relied upon instead of being proactive with their compliance.


Summary

In summary, the CCPA can be seen as a “GDPR-lite”, with only a few key areas of concern if you’ve already been complying with the GDPR globally. And for everyone else, which is most large US organisations, there is a lot of work ahead, not helped in the least by continuing amendments and uncertainty within the CCPA.

===========================================
Images in this post have been kindly provided by:

unsplash-logoMaarten van den Heuvel

Carl Gottlieb

Carl Gottlieb is a Data Protection Officer and his consultancy company Cognition provides a range of Data Protection Services including virtual Data Protection Officers.