In this post, we look at CCPA, which came into effect at the beginning of 2020.
CCPA has been talked about as the US version of GDPR. This is true in the sense that it aims to give consumers more information on how their data is used, but there are some key differences.
What Does CCPA Do for Consumers?
The legislation allows Californian consumers to access key data when they make a ‘verifiable request’. They are then able to see:
- The categories of personal information which a business has collected about them.
- The sources where the personal information is collected from.
- The business or commercial reasons for collecting or selling personal information.
- Categories of third parties with which personal information is shared.
- The specific pieces of personal data about consumers which have been collected.
Who Is Affected by CCPA?
The legislation is specifically aimed to protect the residents of California. However, CCPA can apply to any company that does business in California.
The businesses covered are those meeting one or more of the following criteria:
- Businesses with annual gross revenue of more than $25 million.
- Those businesses which receive, sell, or share the personal data of 50,000 or more consumers.
- Businesses where 50% or more of annual revenue comes from selling consumers’ personal information.
California has a population of almost 40 million and a sizeable economy, so this act is likely to have a global impact. Moreover, it’s likely that other states will introduce similar legislation in the coming years.
Therefore, any company that matches the above criteria needs to ensure that they are compliant.
When Does CCPA Come Into Force?
The bill is already in force, from January 1, 2020. However, though individuals will have the right to bring forward suits relating to data breaches, the legislation will not be enforce until July 2020.
The Attorney General in California is prohibited from taking any enforcement action before July 1, 2020.
Is CCPA the Same as GDPR?
The short answer is no. While both pieces of legislation seek to address consumer concerns about the use of their private data, they are very different in scope.
CCPA represents a shift towards transparency, but unlike GDPR, doesn’t require any stricter consent when, for example, consumers sign up to receive marketing emails.
Therefore, while companies have to ensure that they are compliant and ready to provide the information that consumers request, there is no legal requirement to change the way data is collected from consumers.
However if companies participate in the “sale” of personal information to third parties then companies must provide a consumer with the option to opt out of this activity.
There are a number of caveats to what constitutes a sale of personal data, for example, a service provider who solely collects personal data to provide services to a company for that company’s business purpose should be exempt under the legislation from this opt out requirement.
This blog post is based on opinion only and does not constitute legal advice. If you are unsure of your compliance relating to the CCPA or any other legislation you should obtain your own legal advice.
Graham Charlton is Editor in Chief at SaleCycle. He's been covering ecommerce and digital marketing for more than a decade, having previously written reports and articles for Econsultancy. ClickZ, Search Engine Watch and more.