How are personal data and consumer rights defined in the California Consumer Privacy Act (CCPA)?
Privacy concerns have entered the mainstream. High-profile data breaches and news of companies selling data has caused consumers and regulators to ask questions and demand answers. New data privacy laws are designed to protect personal data and put power back into the hands of the consumer.
Chief among the new laws is the California Consumer Privacy Act (CCPA). Born from a consumer-driven ballot initiative to protect personal data privacy, CCPA will go into effect January 2020. With California the fifth largest economy in the world, CCPA is influencing the privacy landscape across the United States. That’s why it’s important to understand how consumer rights and personal data are defined under CCPA, and how businesses will be affected.
What’s shaking consumer trust?
In the first few months of 2019 alone, several stories came to light regarding companies selling customers’ location data to third-party service providers, including AT&T, which announced upon discovery that it would terminate all location-sharing agreements. Other mobile service providers followed suit. IBM’s Weather Channel app is also under scrutiny following a lawsuit by the city of Los Angeles, claiming that it tracks users “throughout the day and night” to sell their personal location data to advertisers, retailers and hedge funds.
Data breach investigations are also threatening to business integrity. Chances are high that a company will experience a data breach of some sort. In fact, according to the Ponemon Institute, businesses are more likely to suffer a data breach of at least 10,000 records than an individual is to catch the flu this winter. If a data breach becomes public, suddenly a light will be shined on a business’s data privacy practices, triggering a closer look by regulators.
Key definitions in CCPA
The California legislature rushed to draft and pass CCPA, primarily because it is easier to amend than a law enacted via the state’s initiative process. But the fast-tracked process produced a law with confusing and contradictory language that leaves many details unexplained or open for interpretation. Therefore, it’s important to have a grasp of consumer rights outlined by CCPA, what is classified as “personal data” and how it applies to a business.
“Personal data” as defined under CCPA is much broader than one would think, extending beyond the conventional names, addresses, emails, phone numbers, license and social security numbers to include biometric data, IP addresses, geolocation data, online aliases, employment and education information, purchasing history, internet activity (e.g. browsing and search history, web tracking data) and any “inferences drawn” from this data.
CCPA introduces the following rights for consumers regarding such personal data:
Impact of CCPA
Any breach of these rights under CCPA will result in hefty fines enforced by the Attorney General that can reach up to $7,500 per intentional violation and up to $2,500 for non-intentional violations. Affected consumers also have the right to take individual or class action lawsuits against offending businesses. With damages ranging between $100 and $750 per violation, costs could escalate quickly. A data privacy lawsuit could easily put a small-sized company out of business. On the other hand, demonstrating commitment to CCPA and data privacy overall will become a competitive advantage that fosters trust with your customers.
To understand how CCPA will impact your company’s data privacy strategy, download our eBook, The Ultimate Guide to California’s Data Privacy Law.