On January 1, 2020, the California Consumer Privacy Act (CCPA) has entered into effect, described by many as a landmark law and, according to the American Bar Association, the most comprehensive privacy legislation to be enacted in the United States of America. The CCPA was passed in 2018 and is aimed at providing consumers with more control over their personal data. The law bears a certain  resemblance with the EU General Data Protection Regulation – GDPR (it is referred to by some as “GDPR-lite”), however, it differs in some essential points, one of them being that while the GDPR applies to all data processing entities and is based on the concept that a legal basis is required in order to lawfully process personal data and applies to all data processing entities, the CCPA provides a specific opt-out option for consumers who do not want their personal data sold to third parties.

The five new privacy rights under the CCPA are:

  • the right to request a disclosure on what information a business collects, including the categories of personal data, the source of the information and how the data is used, if it was disclosed to third parties and if so, to which categories of third parties,
  • the right to request a copy of that information,
  • the right to have one’s data deleted,
  • the right to request that one’s personal data not be sold to third parties, and
  • not to be discriminated against because of the exertion of the above rights.

The right to request that one’s personal data not be sold corresponds with the businesses’ obligation to implement a Do Not Sell My Personal Information” link or button, which you may already have come across on some of the websites you visit. Besides, companies are required to update their privacy policies.

Who are the addressees of the new law?

Companies or organizations –regardless of their business domicile– that do business in California and collect directly or indirectly consumers’ personal information, solely or jointly determine the purposes of the processing of such information, and either

  • have an annual gross revenue above $ 25m,
  • derive 50% or more of their annual revenue from selling consumers’ personal information,
  • or annually buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices.

Who are the beneficiaries?

The law only applies to residents of the State of California. Since it is cumbersome to create a separate infrastructure only for California residents, companies may decide not to distinguish by place of residence and grant the new consumer rights to all their victors. Or, the “do not sell” button may be visible to all visitors, but requests will be honored exclusively of California residents.

How do you request your own data?

Well, first of all, you need to be a resident of the State of California. Now, in order to receive a copy of your own data, you must send a “verifiable consumer request” to the company. Your request must be honored within 45 days of receipt; in some cases, this period can be extended to a maximum of 90 days. This request can only be made twice a year and only for the past 12 months in each case.

What if the business does not comply?

Companies may face fines of $2,500 to $7,500 per violation of the CCPA if the violation is deemed intentional. The new law is enforced by the California attorney general. However, businesses have a 30-day period to address a violation after receipt of a consumer’s request, a so-called “right to cure”, which has been criticized for giving companies too much leeway. The California attorney general will not take enforcement actions against incompliant companies before July 1, 2020.

What lies ahead?

It will be interesting to see if and to what extent other states will follow the Californian example and enact similar regulations. Another aspect that deserves closer attention is that some companies, such as, for instance, Facebook might attempt to argue their way out of the new law’s scope of applicability, claiming that they do not “sell” personal information.

Furthermore, companies will need to pay close attention to their authentication mechanisms to identify a requestor so as to avoid producing a data breach by disclosing information to an unauthorized recipient.