Updated November 30, 2020.
California was one of the first states in the US to enshrine privacy as an “inalienable right” of all people, when it amended its constitution in 1972.
On January 1, 2020, California became the first state to enact a data privacy law that will empower its residents with ownership over their personal information and change the way companies handle personal information across the United States and the rest of the world.
As California goes, so goes the nation, so let’s have a look at the new California privacy law and its consequences.
What does it mean for your company and your website? How can you become compliant? And what are the differences between it and the European GDPR?
Become compliant with Cookiebot consent management platform (CMP).
California’s privacy law
According to a recent survey by Pew Research Center, a majority of Americans believe it to be impossible to go through daily life without having their data collected.
The survey was conducted with participation of more than 4,000 people over the summer of 2019.
81 percent of the American public feel that the potential risks they face because of data collection outweigh the benefits, and 79 percent feel concerned about the way their data is being used by companies.
Three out of four Americans, the survey also showed, want more power over their own data, and believe there should be more regulation around how companies handle data.
CCPA privacy: California is becoming the frontier of US data privacy law.
As the first state in the nation, California has enacted a data privacy law, the CCPA, that effectively moves the legal reality of digital privacy closer to the peoples’ wishes for more control over their own data and more regulatory supervision of the tech companies handling that data.
The new California privacy law (CCPA) might very well become the de facto standard for data rights across the US, not only because it is the very first of its kind in the country, but because California is the largest state in the US with forty million residents, and, if it was its own country, would be the fifth largest economy in the world.
A business in, say, Wyoming or Vermont will be required to comply with the CCPA if it buys, receives, sells, or shares the personal information of at least 50,000 California residents, households or devices annually.
The impact of this requirement means that a lot of US companies will have to seek compliance with the new California privacy law, even if they are located outside of California.
In fact, the impact of the new California privacy act will also be felt globally – since the same requirements for compliance will be forced upon companies in Europe or Asia, if they fall under the definition of a business in the CCPA.
For more on the CCPA and how it came to pass as California state law, take a look at our CCPA long-read here.
Try Cookiebot CMP free for 30 days for CCPA compliance… or forever if you have a small website.
The California Privacy Rights Act (CPRA)
In the General Election on November 3, 2020, a majority of California residents voted to pass into the new California Privacy Rights Act (CPRA).
The California Privacy Rights Act (CPRA) is an addendum to the CCPA and expands data privacy rights for consumers, tightens requirements for businesses collecting and sharing personal information and creates a new government agency to enforce California’s privacy laws.
The California Privacy Rights Act (CPRA) will take effect in January 2023 and enter into enforcement in July 2023. However, the CPRA has a 12-month look-back period, which means that data collected and shared from January 2022 is liable under the CPRA.
Compliance with Cookiebot CMP
Cookiebot CMP is a consent management platform that scans your website, finds all cookies and similar tracking technology and empowers the end-users with the choice of consent.
This way, website owners empower their end-users with the choice to decide who they wish to share their personal information with.
This is the bedrock of strong data privacy, as mandated by the European GDPR and now also the California privacy act.
Cookiebot CMP enables CCPA compliance with new configuration.
Cookiebot CMP consent solution is one of the leading platforms in the privacy industry to enable full GDPR compliance for websites all over the world.
Cookiebot CMP offers compliance with the CCPA in California, alongside our existing solution for compliance with the European GDPR.
That’s because our technology can be configured and customized to meet the compliance standards of both the CCPA and GDPR, depending on where your business and end-users are located.
Whether your company is based in the US, EU or anywhere else in the world, the landscape of data privacy is rapidly changing, and new requirements means companies must be mindful of how they handle user data.
By using Cookiebot CMP, websites and companies worldwide can rest assured that they handle their end-users’ data with transparency and compliance.
Consumer protection under the California privacy law
The California privacy act (CCPA) sets up a legal framework, whereby California residents can claim ownership of their data. It also requires companies who do business in California to provide users with easy ways of exercising their newly created data rights.
However, there are certain definitions in the law that both individuals and companies must fall under in order for the California privacy law to apply.
Let’s have a look at them now.
New consumer rights under the California privacy law
Among the rights that the California privacy law empowers state residents with are the right to opt-out of having one’s personal information sold to third parties, the right to disclosure of what personal information has been collected in the past 12 months, and the right to deletion of that data.
Failure to comply can result is fines of $7,500 per violation and $750 per affected user in civil damages for businesses.
Who is protected by the California privacy act?
To be protected by the California data law, a consumer must be a natural person who is either in the state for other than a temporary purpose or who is domiciled in the state, but temporarily outside of the state (e.g. on vacation or business trip).
The new California privacy act protects only California residents.
Individuals who are simply passing through, on a brief rest or vacation, in the state to complete a particular transaction or perform a particular contract are deemed to be in the state for temporary or transitory purposes and will not fall under the California privacy law as a consumer, and hence not protected by the CCPA.
It is not enough to simply be located in the state when having one’s data collected by a business (e.g. tourists vacationing in the state).
California privacy law’s definition of personal information
The new California data law (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Personal information can include:
- Identifiers such as real name, alias, postal address, social security numbers, driver’s license and passport information.
- Identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names…
- Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data…
- Geolocation data such as location history via devices,
- Internet activity such as browsing history,
- Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences and so on.
Even data that is not by definition personal information might fall under the category, if it can be inferred to create profiles that reflect a consumer’s “preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”
The new California privacy law effectively creates a whole new way of viewing data in the US.
Business compliance with the California privacy law
Enforcement of the CCPA began in August 2020, with the approval of the final CCPA regulations.
If you haven’t already made your website compliant, now is the time to take action.
To be regarded as a business under the CCPA rules, a company has to meet one of the three following attributes:
- have an annual gross revenue exceeding $25 million,
- derive 50% or more of its annual revenues from selling consumers’ personal information,
- buy, receive, sell, or share the personal information of 50,000 or more California residents, households or devices a year.
CCPA privacy: California is the frontier of US data privacy law.
If your company seeks compliance with the California privacy law, this checklist will run you through the basic requirements necessary.
Here is a non-exhaustive CCPA compliance checklist to inform you of some of the key requirements.
- Businesses must feature a Do Not Sell My Personal Information link on their website that users can use to opt-out of third-party data sales.
- Businesses must provide a notice at or before the point of collection informing the consumer of the categories of personal information that the company collects and for what purpose.
- Businesses must respond to an opt-out request within 15 days by stopping further selling and notifying all parties to whom it has sold the personal information in the previous 90 days.
- Businesses must obtain the opt-in consent from consumers age 13 to 16 before selling their personal information, and obtain the opt-in consent from parents or legal guardians on consumers under the age of 13.
- Businesses must provide consumers for free the records of personal information collected in the past 12 months (including sources, commercial purposes and categories of third parties with whom it has been shared) if a consumer requests disclosure or deletion.
- Businesses must respond within 10 days of receiving requests for disclosure or deletion with information on how the request will be processed. Substantive responses must be given to the consumer within 45 days of receiving a verified request.
- Businesses must include two steps for a deletion request, whereby the consumer can submit the request and subsequently agree to the personal information to be deleted.
- Businesses must only offer financial incentives (e.g. different prices, rates and quality) for goods and services if the differences are reasonably related to the value provided to the business by the consumer’s data.
- Businesses must refrain from discriminating based on a consumer’s choice to exercise their rights.
California privacy law and the GDPR
When comparing the California privacy law (CCPA) to the European data regulation (GDPR), it becomes clear that though there are similar intentions and provisions, the two data privacy laws are very different.
Where the European GDPR protects anyone in the EU, the CCPA only protects California residents.
It is not enough to be located in the state at the time of collection or processing, according to the new California privacy law, you must have a permanent residency in the state in order to be protected.
The GDPR is focused on creating a “privacy by default” legal framework for the entire EU, whereas the CCPA is about creating transparency in California’s huge data economy and rights for its consumers.
For more, take a look at our comprehensive CCPA vs GDPR comparison.
Summary: what does the California privacy law mean for me?
If you have a company that falls under the CCPA privacy definition of a business, you are obligated to obtain compliance with the California privacy law, regardless of where in the world your company is based.
Cookiebot CMP offers compliance with CCPA (and as always GDPR) for your company and its website.
What is the California privacy law?
California’s privacy law is called the California Consumer Privacy Act (CCPA) and is a state-wide law that governs the collection, use, sharing and selling of California residents’ personal information by businesses. It came into effect on January 1, 2020, and is enforced by the California Attorney General.
Who is liable under the California privacy law?
A business under the CCPA is any company or for-profit organization that have an annual gross revenue exceeding $25 million or derives 50% or more of its annual revenues from the selling of consumers’ personal information or buys, receives, sells or shares the personal information of more than 50,000 California residents, households or devices per year.
What is personal information in California?
Personal information is defined by the CCPA as any kind of information that can directly or indireclty identify a living individual. This includes names, addresses, social security numbers, driver’s license, health data, location history, personal characteristics, religious beliefs, political convictions, sexual orientation and indirect identifiers such as website cookies, IP addresses, browser and search history.
How to comply with the California privacy law?
Businesses who have websites that collect, share or sell personal information from California residents must inform users that they do so, as well as enabling them to opt out of third-party data sales and giving them the opportunity to access or have deleted already collected data.