The California Consumer Privacy Act, in short the CCPA, passed with unanimous votes on June 28, 2018. The new law will go into effect January 1st, 2020 and is set to be the toughest privacy law in the US until now by expanding the rights of the consumers and requiring businesses to be more transparent about their data processing activities. Furthermore, the CCPA is a first step towards a unification of privacy laws worldwide, being similar in many ways to the EU’s GDPR.

Who does it apply to?

Similar to the GDPR, the CCPA will apply to business worldwide, if they or an entity that controls them, receive personal data of California residents, directly or indirectly, and they meet at least one of the following criteria:

  • Their annual revenue exceeds US $25 million
  • They annually receive, directly or indirectly, the personal data of at least 50000 California residents, devices, or households
  • 50% or more of its annual revenue is derived from the sale of personal information about California residents

To note, the definition of personal information is also more broad than before within the CCPA, and it includes any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and it will include data such as personal identifiers and IP addresses, regardless if they are associated with other identifying information.


Changes

Similar to the GDPR, the main goal of the CCPA is to expand the rights of individuals in regards to their personal data. Here are the main individual rights according to the CCPA:

  • Access - individuals can request disclosure of the data elements that have been collected about them, such as categories of personal data, sources, purposes for collecting data or for selling it, and categories of recipients with whom the data has been shared
  • Data portability - if an individual requests it, businesses should provide data in a readily transmissible format
  • Deletion
  • Disclosure about sharing/sale - individuals have a right to request an accounting of the disclosure, include sale, of personal data towards third parties
  • Opt Out - individuals have the right to object to the sale of their data
  • Opt In - minors or their guardian must affirmatively authorize the sale of the minor’s data


Another change that the CCPA brings is related to non-discrimination and financial incentives. As such, businesses cannot discriminate against their clients for opting out of the sale of their personal information. Businesses may not deny products or services or offer differential pricing or rates, unless directly related to the value of the data to the consumer. Furthermore, offering financial incentive programs for the collection, sale, and disclosure of personal information only if the consumer is informed in a fair and transparent manner.


In part II, we will discuss the other key changes brought by the CCPA, such as transparency, obligations regarding personnel training, privacy notices and terms of use, and the sanctions for non-compliance.