Insights

CCPA

November 5, 2020

With the CCPA now entering enforcement, what do businesses need to know?

The global data regulation landscape underwent another shift recently as the California Consumer Protection Act (CCPA) entered its enforcement phase in the beginning of July. The much-anticipated regulation first entered law on the 1st of January 2020, but any enforcement was limited to civil actions. The CCPA also underwent some additional changes in August – the US legal system being notably more flexible about amendments than its EU counterpart.

So what does this new regulation mean for organisations doing business in California and how different is it from the GDPR? We’ll start off by looking at the CCPA’s new consumer rights, scope and timeframes.

What rights does it grant?

As per the name, the CCPA is focused entirely on ‘consumers’ – which includes users of free services as well as paying customers. Employees will fall under the legislation in January 2021.

The CCPA imparts five key rights:

  • The right of Californians to know what personal information is being collected about them
  • The right of Californians to know whether their personal information is sold or disclosed and to whom.
  • The right of Californians to say no to the sale of personal information.
  • The right of Californians to access their personal information.
  • The right of Californians to equal service and price, even if they exercise their privacy rights.

What is the scope?

The scope of the CCPA is far narrower than the GDPR, and only applies to organisations that have a physical base of operations within the state.

A Californian business is liable under the CCPA if they meet any of the following three criteria:

  • Has annual gross revenues in excess of $25 million.
  • Annually buys or receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
  • Derives 50% or more of its annual revenues from selling consumers’ personal information.

The regulation is squarely aimed at larger companies rather than the small ‘mom and pop’ type business. However, most companies specialising in data sales will still fall under its remit no matter their size.

The CCPA also only applies to Californian residents as defined by tax legislation – meaning anyone who resides there long enough to pay some form of tax. This contrasts with the GDPR which is more accommodating of temporary residents in the EU.

What are the time limits?

The CCPA has taken a comparable approach to timescales to the GDPR. Companies will be given a standard 45 days to respond to a data request and can extend this for a further 45 days as long as they alert the requestee within the initial deadline. This means that firms will have a longer initial period than the GDPR’s single calendar month, but the same overall extended deadline of roughly three months. As the CCPA deals in days rather than months, it also does away with any issues relating to months of different lengths.

Another notable difference in timing is that the CCPA only applies to information from within the last 12 months, whereas the GDPR’s lack of limit can have firms trawling through many years of data when it comes to a long term customer or employee.

Check back soon for part two, where we’ll delve into the penalties the CCPA can dish out, and what businesses should be doing to prepare.