Quick guide to the California Consumer Protection Act

6 min read

Georgia Iacovou

02 Oct 2019

The CCPA: it’s coming soon, but hardly anyone really knows what it is

The California Consumer Protection Act will go into effect on the 1st of January 2020. Interestingly, it’s aimed solely at for-profit businesses. This is a key difference between the CCPA and the GDPR; there are a lot of those, read about them here.

However if you are running a business anywhere in the world this could affect you. It’s not about where the business is based, but where the consumers are. If any of your users live in California, this could affect you. So unless you plan on blocking the entire state of California from using your services, you should pay attention to this regulation.

To reiterate: the CCPA is NOT just for businesses based in California.

Before you read any further, just answer these three yes or no questions:

  1. Does your business have a gross annual revenue greater than $50M?
  2. Do you get half or more of your annual revenue from selling consumer data?
  3. Do you sell the personal data of at least 100k consumers or devices (alone or in combination) a year?

If the answer to any of those is yes, the CCPA will affect you — so what else do you need to know?

The CCPA affords Californian residents with new data rights

In its current state, the CCPA is not so much a set of rules for companies, but a new set of rights for consumers. So essentially, businesses now need to be prepared to facilitate these rights being exercised. Here is what they are:

a screenshot of all the consumer rights that the CCPA affords

This has been lifted straight from their website — the regulation is aimed at businesses but the site is written completely for consumers. This is important, because consumers should know what their rights are.

Where this leaves businesses: learn the rights and be prepared. To summarise the most important bits, as a business you must be prepared to:

What the CCPA classes as ‘personal information’

Interestingly, the CCPA does not limit ‘personal information’ to something that may identify a person — but also a device. This is a very apt move, especially when you consider the growing number of devices used in a household that do not belong to one person. E.g. a smart TV, an Alexa, or one of these Facebook Portals which are a privacy nightmare.

Pulled straight from the regulation document itself, it lists the following as personal information:

  1. Identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  2. Any categories of personal information enumerated in Civil Code 1798.80 et. seq;
  3. Characteristics of protected classifications under California or federal law;
  4. Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies;
  5. Biometric data;
  6. Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement;
  7. Geolocation data;
  8. Audio, electronic, visual, thermal, olfactory, or similar information;
  9. Psychometric information;
  10. Professional or employment-related information;
  11. Inferences drawn from any of the information identified above; and
  12. Any of the categories of information set forth in this subdivision as they pertain to the minor children of the consumer.

The usual suspects make an appearance here: geolocation, email address, employment information. But look who else is included: biometric data, psychometric data and… thermal information.

This is extremely comprehensive; it takes into account lots of different kinds of data that can be gathered in a variety of ways. And, importantly, in number 11 they’ve even included information you can infer from any other data you may have gathered.

This means that the CCPA is most definitely aiming to zero-in on companies that have resources to aggregate data in specific ways — in other words, ad networks such as Facebook and Google who heavily engage in behavioural advertising.

What will enforcement look like?

CCPA enforcement can come in two ways: a business could get sued by Californian citizens OR smacked with a fine from the attorney general.

The attorney general fines are imposed per violation. In this case, a violation is the failure to fulfil one request, for one person or device. So, the failure to disclose to one customer all the data you collect about them = one violation.

💵 How much you could be fined depends on the situation, and is up to the attorney general. But, there are limits:

So say if you have 5,000 active users, but you forget to be transparent about the categories of their data that you sell to other companies. You could get fined $12.5M. That’s a lot of money, and not really that many active users.

Wilful violations could of course cost you a lot more, so if a Californian user asks you to delete all data you have about them, or stop selling it to others, it’s definitely worth you honouring the request and finding a way of proving that you’ve done so.

In addition to this, you could also be sued for data breaches. The third consumer right listed above is the right to have your information stored securely. So as a business, you need to do what you can to safeguard against breach. A resident of California could sue you up to $1000 per data point breached. A data point could be an email address, for example.

Let’s apply that to the recent data breach at Marriott hotels: 339M guests had their personal data stolen — among that data was passport number, credit card number, and date of birth. That’s three data points per person. If just 500k of those guests were Californian, under CCPA Marriott could be sued up to $1.5 billion.

Just for perspective, the GDPR fine for the Marriott breach was less than £100m. So the CCPA has the potential to cost businesses a lot more money if they fail, or refuse, to comply.

So what will 2020 look like with the CCPA?

Currently quite hard to say, because this is quite a strict regulation, but only on a narrow set of companies. It seems that who it is likely to effect is medium to large tech companies, and data brokers.

What is quite clear is that the CCPA is just the start of things to come in the US — this is just one state. Others will follow suit (both Maine and Nevada have recently passed laws), and that could pave the way to a much needed federal privacy regulation.

the author

Georgia Iacovou

Content Writer, Metomic