What is the CCPA and will it affect my business?
The California Consumer Privacy Act (CCPA) is a bill intend to enhance privacy rights and consumer protection for residents of California. The bill was passed by the California State Legislature and signed into law by then-governor Jerry Brown on June 28, 2018. Officially called AB-375, the law goes into effect on January 1, 2020.
Essentially the intent is to:
The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, which does business in California, and satisfies at least one of the following thresholds:
Responsibility and accountability
Sanctions and Remedies
The following sanctions and remedies can be imposed:
What is 'Personal Data'?
CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
It does not consider Publicly Available Information as personal.
Key differences between CCPA and the European Union's GDPR include the scope and territorial reach of each, definitions related to protected information, levels of specificity, and an opt-out right for sales of personal information.
CCPA differs in definition of personal information from GDPR as in some cases the CCPA only considers data that was provided by a consumer and excludes personal data that was purchased by, or acquired through, third parties[the italicized portion of this sentence is open to debate]. The GDPR does not make that distinction and covers all personal data regardless of source (even in the event of sensitive personal information, this doesn't apply if the information was manifestly made public by the data subject themselves, following the exception under Art.9(2),e). As such the definition in GDPR is much broader than defined in the CCPA.