What do businesses need to do to comply with the new California CCPA law?
UPDATED: March 30, 2020
It’s all about you. We want to help you make the right legal decisions.
We strive to help you make confident law decisions. Finding trusted and reliable legal advice should be easy. This doesn't influence our content. Our opinions are our own.
You’ve probably heard of the Constitution and the Bill of Rights, right? One of those amendments in the Bill of Rights, the Fourth Amendment, protects Americans from unlawful search and seizure of property.
The Fourth Amendment restricts what the government can do with your property, but what about your data? Some of the larger threats to individual privacy threaten the vast quantities of data collected by ever more powerful private companies that are then sold on the open market.
The patchwork of state business laws regulating third party treatment of consumer data varies from state to state. Plus, there are limited federal data protection laws right now, though there are some very narrow safeguards.
It can seem complicated on the surface to be a business dealing with the new California CCPA laws, and it is to a degree. But we’re here to help you navigate the ways businesses can still operate as normal while complying with this new law. So let’s get into it!
What exactly is the new California CCPA law?
Not many states offer a generous interpretation of an individual's right to privacy. California stands out in the matter. California recently passed AB 375, commonly referred to as the California Consumer Privacy Act (CCPA). It went into effect on January 1, 2020.
The CCPA will apply to for-profit businesses, including small businesses, that meet certain criteria. Personal information under the CCPA includes Social Security numbers, Drivers’ License Numbers, and very notably, unique personal identifiers. These include device identifiers and other types of online tracking technologies.
Maryland is the only other state with a similar law. The Personal Information Protection Act (PIPA), Md. Code Ann. Comm. Law 14-3504, is narrower than California's privacy law but more expansive than most other states. PIPA makes sure that Maryland consumers' personal identifying information is reasonably protected.
If personal data is compromised, the consumer is notified. PIPA contains provisions for notification of consumers in the event of a data security breach and mandates for businesses to implement reasonable security measures to protect consumers' personal identifying information.
This CCPA legislation expands a consumer’s right to sue for damages in an amount not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
A business that breaks the law is subject to a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
The California law provides consumers with some options for instances when there is a data breach. In short, the law offers consumers the right to know exactly what information corporations have collected.
How does the General Data Protection Regulation (GDPR) of Europe get involved?
With the passage of the 2016 General Data Protection Regulation (GDPR) in 2016, the European Union is leading the charge to take data protection more seriously. Businesses that already comply with the 2016 EU General Data Protection Regulation (GDPR) may find that they already satisfy all the requirements put forth in the California Data Privacy Protection Act.
Failure to implement appropriate security measures to safeguard personal data under the GDPR already can result in enforcement action, including the levying of significant fines. Enforcement action can be taken even in the absence of a cyber-attack or data breach under the GDPR. Global trade regulations regarding data privacy will likely continue to become more harmonized as businesses continue to grow and transact all over the world.
How will new technologies be affected by these laws?
Facial recognition technology represents a new wave of identity and authentication challenges. Because of this technology, in addition to CCPA, AB 1130 will update the AB 375 to include protections for a person’s unique bio-metric information. These will include fingerprints and images of a retina or iris.
Consumers are permitted to sue companies that collect their data if their information is stolen or disclosed in a data breach under the CCPA law, but only in circumstances where the company was careless or negligent.
Consumers also have a right to demand to have personal biometric data deleted. Privacy advocates believe that a person must be allowed to consent to their faces being scanned.
Furthermore, any data that is acquired during such a scan should be deleted after it is determined not to fit a database of known criminals. There is no reason that a third party should be allowed to keep a permanent record of a person’s face and other biometrics without their explicit consent.
What does all this mean for you?
Maybe you’re not involved in data collection or the like. But if you are, then you may need to take some precautions to ensure you’re not violating the CCPA. The burden of CCPA on a small business requires an internal legal review and the rendering of a legal opinion. A legal review of all commercial agreements is the first step to determine whether there is a violation of CCPA.
A business must determine whether they are engaged in the process of "selling" personal information in violation of the CCPA. In-house lawyers and outside counsel must review their commercial agreements to assess whether their data is being "sold". If it is determined that personal information is not being “sold,” then no sale opt-out is required by CCPA.
On the other hand, if data is "sold" for CCPA purposes, the business must consider methods on how to come into compliance with the CCPA’s opt-out requirements. Each circumstance and remedy would be unique to each business and in the end, it’s always better to be safe than sorry.
David Reischer, Esq. is a licensed business law attorney with over 15 years of legal experience and is the Founder and CEO of LegalAdvice.com