What is the California Consumer Privacy Act? (& How to Prepare for It)

Written by: Emmilly Best, Jennifer Hester

By now you’ve heard of the General Data Protection Regulation also know as “GDPR” that passed in the European Union in 2016 and went into effect in 2018. GDPR compliance applies to any company that does business with online users in the European Union, whether or not they are EU residents.

But did you know that there are data privacy laws like this in the United States? And even more so, state laws that are more specific and stringent.

If you do business in the United States (namely California) – you’ll want to keep reading.

State-specific laws in the United States apply to any company (defined by the state) doing business with residents of those particular states. Additionally, compliance with GDPR doesn’t mean compliance with these state-specific laws.

What is the California Consumer Privacy Act or CCPA?

The most notable state law is the California Consumer Privacy Act (CCPA) passed in 2018, which goes into effect January 1, 2020, granting California residents the rights to:

  1. Know the business’s data collection practices
  2. Receive a copy of their personal information collected in the last 12 months and receive it within 45 days
  3. Have such information deleted
  4. Know the business’ data sale practices and to request that their personal information not be sold to third parties
  5. To not be discriminated against based on exercising these rights

Who Does the CCPA Protect?

Note that this law grants rights to California residents (defined by income tax filings), making the scope narrower than that of GDPR. To learn more about the CCPA specifics, read more here.

Which Companies are Impacted by the CCPA?

Additional to the California resident stipulation, this law only applies to for-profit companies that check off one of these requirements:

  • Earn +$25 million in annual gross revenue
  • Process personal data of  +50,000 California residents
  • Profit  +50% of its revenue from the sale of California residents’ data

What are the Penalties for Violating the CCPA?

While GDPR fines are astronomically higher than the CCPA’s, the penalties are still worth noting. First, the Attorney General must provide 30 days’ prior notice of noncompliance before taking action or fining businesses. Then the fines begin.

According to the following provisions, penalties are currently on a per violation basis without a defined maximum:

  • Fines for companies are $2,500 per violation (and $7,500 for willful violations)
  • Fine for individuals are $100 to $750 per violation

What to do if Your Company is Impacted by the CCPA

Businesses must update their website to include:

  1. New California rights and how to exercise them must be disclosed.
  2. Websites must disclose:
    1. Categories of information collected
    2. Sources of information
    3. Categories of information sold and shared for business purposes
  3. There must also be a link in the footer of the homepage titled “Do Not Sell My Personal Information,” that leads users to an opt-out page.
  4. This update must be posted by January 1, 2020, and updated annually.
  5. Companies will be required to stop selling people’s data upon their request at any time.

For the latest updates on GDPR and state-specific laws related to data privacy, subscribe to Seer’s blog. And to learn more about what Seer’s Analytics team can do for you, contact us below.