Understanding the CCPA (California Consumer Privacy Act)

Understanding the CCPA (California Consumer Privacy Act)

As the California Consumer Privacy Act (CCPA) officially went into effect on January 1st, 2019, Californians now will have a new take on their personal information and the laws associated with it. The CCPA was officially passed and signed over a year ago and is one of the most detailed consumer privacy laws the state has ever had. With the Act in place, Californians will have new data protection policies, including the right to access information, the right to deletion, and the right to opt-out. CCPA compliance will have to be met by any company that uses or sells consumer data, however, there is a 12 month reprieve for businesses’ B2B (business-to-business) transactions.

Consumer Rights

  Consumers in California have three main rights associated with the CCPA including:  
  1. The Right to Access Information – Consumers now have the right to request access to the information that is collected and sold, who collected it, whom the information was shared with or sold to, and why it was collected.
  2. The Right to Deletion – Requests may be made by consumers to any business that collects consumer information for the deletion of that information.
  3. The Right to Opt Out – Californian consumers may request that their personal information not be sold to third parties.
  With these rights, companies must comply with any and all requests for personal information collected, must honor requests for deletion, as well as requests by the consumer to opt out of data being sold to third parties.  

What Kind of Information May Have Been Collected?

  The kind of information and the detail of that personal information depends on the business itself. Businesses that collect data associated with personal online activity, ad-targeting data, biometric data and the-like will most likely receive the broad range of requests for access, deletion, and opting-out. Businesses with higher revenues may also receive the broader range of requests, as they may be more prone to collecting consumer data.  

Overall Intentions of The CCPA

  The CCPA has been put into place with the intention to put regulations on the sharing and sale of consumer personal data. It is designed to give consumers more control over the use of their personal data, and more control over their personal privacy.  

What This Means For Businesses

  This means a number of things for businesses regarding the disclosure of data and information collected, what that data is being used for, and any third parties that such data is shared with. Businesses affected include:  
  • Businesses that have annual revenues of $25 million or greater.
  • Any business that buys, receives or sells the personal information of more than 50,000 consumers.
  • A business that generates more than 50 percent of annual revenue from selling the consumers’ personal information.
  Businesses that are subject to the CCPA will now be required to:  
  • Provide notice to the consumer at or before the collection of data.
  • Create procedures to respond to requests from consumers who wish to know the information collected, delete it, or opt-out of having that information sold.
  • Provide a “Do Not Sell My Info” button on their mobile app or website.
  • Provide responses to requests to know, delete, or opt-out
  Fines, lawsuits, or civil actions may consist of:  
  • Consumer civil action lawsuits of between $100 to $750 per individual privacy violation.
  • Attorney General of California lawsuits of $2,500 for unintentional violations.
  • Attorney General of California lawsuits of $7,500 for intentional violations.
 

CCPA Compliance Costs

  Statistics provided by the California Department of Justice states that the Standardized Regulatory Impact Assessment for CCPA regulations estimates that this Act will protect over $12 billion worth of personal information that is used through advertisements in California annually. An estimate suggests a number between $467 million to $16,454 million in costs to comply with the regulation between 2020-2030.  

Why the CCPA May Concern You

  The CCPA may affect both consumers and business owners in California. In the near future, consumers in California will begin to see changes in how businesses are run. As the demand for a “Do Not Sell My Info” button and responses to requests may begin to rise, consumers will be regularly prompted on both websites and mobile apps as to whether they want their info collected, used, or sold for advertising purposes.   Furthermore, business owners - and more so businesses with an annual revenue over $25 million, a reach of over 50,000 consumers, or an annual revenue that consists of more than 50% from the selling of users’ personal information - will need to make some adjustments. As the demand by consumers for personal information that has been collected from them will rise with the passing of this new regulation, businesses will need to keep in mind the amount of diligence needed to meet these possible high volumes of requests.   If you have a large customer base in California, the CCPA may affect you. Businesses might need to put forth considerable effort to remain compliant with the law.  

What Kind of Controls Can I Use to Protect My Company Website

  Being compliant with privacy laws is now viewed as a priority. There are several ways in which you can ensure that your business is compliant with these laws:  
  • Ensure that your business has adequate privacy policies for users and make updates to those policies.
  • Ensure that those privacy policies are posted visibly on your website or mobile app.
  • Provide links on your website for requests of information, deletion, or opting out.
  • Keep up to date with the laws and how well your business complies with them.
  • Respond within the allotted amount of time, diligently, when a user requests information, deletion, or to opt-out.
  • Figure out where all stored data that your business has collected is stored. (i.e. data audits)
  • Get better security software for your website.
  • Track all requests and responses to requests
 

The First CCPA Lawsuit: Barnes vs. Hanna Andersson, LLCC

  As of February 2020, The first CCPA class action lawsuit has been filed against Salesforce.com and Hanna Andersson, LLC by Bernadette Barnes. It is the first CCPA related lawsuit for data breach allegations. Barnes states that hackers were able to access private customer information such as names, addresses and credit card numbers via Hannah Andersson’s E-commerce website which was hosted by Saleforce.com.   Companies should closely watch the progression of this lawsuit. Barnes may pave the way for other privacy class actions, especially if the district court issues any consumer-friendly rulings, interprets the CCPA or rules on any of the unresolved issues.     The National Law Review has also stated that, “Currently, the CCPA provides for a limited private right of action for data breaches, with damages between $100 and $750 per violation, per consumer.  If the Barnes complaint is later amended to successfully assert an actual CCPA cause of action, the defendants would face a minimum of $1,000,000 in CCPA statutory damages.” Should this damages settlement occur, future CCPA lawsuits may become more prominent.   on the surface the barnes case seems to be perfect pilot case for raising a CCPA cause of action. The CCPA however contains some ambiguities which may have played a role in the notable absence of this claim from the Barnes compliant.  

Moving Forward

  Experts are still unsure of what the future involving websites and the CCPA includes, but advise to keep a close eye on the advancement of Barnes vs. Hanna Andersson, LLCC. With this new lawsuit comes the potential for further lawsuits regarding CCPA violations.   For consumers, it’s best to make sure that your privacy is protected on the sites that collect your personal information. For businesses, it’s best to make sure that your website is compliant with CCPA law to ensure that your business does not face extensive lawsuits.   Do you need help making adjustments to your website to meet CCPA compliance? Social Spice Media is here to help. Our talented web developers will make proper adjustments to your website to meet CCPA Law as well as improving the appearance of your website and business as a whole.   Do you know someone who could benefit from our services? Refer them to us today! Our team is eager to connect with businesses in any industry. We serve the local needs of Ventura County and Santa Barbara as well as anywhere in the United States.