Updated November 30, 2020.
California was one of the first states in the US to enshrine privacy as an “inalienable right” of all people, when it amended its constitution in 1972.
On January 1, 2020, California became the first state to enact a data privacy law that will empower its residents with ownership over their personal information and change the way companies handle personal information across the United States and the rest of the world.
As California goes, so goes the nation, so let’s have a look at the new California privacy law and its consequences.
What does it mean for your company and your website? How can you become compliant? And what are the differences between it and the European GDPR?
According to a recent survey by Pew Research Center, a majority of Americans believe it to be impossible to go through daily life without having their data collected.
The survey was conducted with participation of more than 4,000 people over the summer of 2019.
81 percent of the American public feel that the potential risks they face because of data collection outweigh the benefits, and 79 percent feel concerned about the way their data is being used by companies.
Three out of four Americans, the survey also showed, want more power over their own data, and believe there should be more regulation around how companies handle data.
CCPA privacy: California is becoming the frontier of US data privacy law.
As the first state in the nation, California has enacted a data privacy law, the CCPA, that effectively moves the legal reality of digital privacy closer to the peoples’ wishes for more control over their own data and more regulatory supervision of the tech companies handling that data.
The new California privacy law (CCPA) might very well become the de facto standard for data rights across the US, not only because it is the very first of its kind in the country, but because California is the largest state in the US with forty million residents, and, if it was its own country, would be the fifth largest economy in the world.
A business in, say, Wyoming or Vermont will be required to comply with the CCPA if it buys, receives, sells, or shares the personal information of at least 50.000 California residents, households or devices annually.
The impact of this requirement means that a lot of US companies will have to seek compliance with the new California privacy law, even if they are located outside of California.
In fact, the impact of the new California privacy act will also be felt globally – since the same requirements for compliance will be forced upon companies in Europe or Asia, if they fall under the definition of a business in the CCPA.
For more on the CCPA and how it came to pass as California state law, take a look at our CCPA long-read here.
Try Cookiebot free for 30 days for CCPA compliance... or forever if you have a small website.
In the General Election on November 3, 2020, a majority of California residents voted to pass into the new California Privacy Rights Act (CPRA).
The California Privacy Rights Act (CPRA) is an addendum to the CCPA and expands data privacy rights for consumers, tightens requirements for businesses collecting and sharing personal information and creates a new government agency to enforce California’s privacy laws.
The California Privacy Rights Act (CPRA) will take effect in January 2023 and enter into enforcement in July 2023. However, the CPRA has a 12-month look-back period, which means that data collected and shared from January 2022 is liable under the CPRA.
Cookiebot is a consent management platform that scans your website, finds all cookies and similar tracking technology and empowers the end-users with the choice of consent.
This way, website owners empower their end-users with the choice to decide who they wish to share their personal information with.
This is the bedrock of strong data privacy, as mandated by the European GDPR and now also the California privacy act.
Cookiebot enables CCPA compliance with new configuration.
Cookiebot’s consent solution is one of the leading platforms in the privacy industry to enable full GDPR compliance for websites all over the world.
Cookiebot offers compliance with the CCPA in California, alongside our existing solution for compliance with the European GDPR.
That’s because our technology can be configured and customized to meet the compliance standards of both the CCPA and GDPR, depending on where your business and end-users are located.
Whether your company is based in the US, EU or anywhere else in the world, the landscape of data privacy is rapidly changing, and new requirements means companies must be mindful of how they handle user data.
By using Cookiebot’s consent management solution, websites and companies worldwide can rest assured that they handle their end-users’ data with transparency and compliance.
The California privacy act (CCPA) sets up a legal framework, whereby California residents can claim ownership of their data. It also requires companies who do business in California to provide users with easy ways of exercising their newly created data rights.
However, there are certain definitions in the law that both individuals and companies must fall under in order for the California privacy law to apply.
Let’s have a look at them now.
Among the rights that the California privacy law empowers state residents with are the right to opt-out of having one’s personal information sold to third parties, the right to disclosure of what personal information has been collected in the past 12 months, and the right to deletion of that data.
Failure to comply can result is fines of $7,500 per violation and $750 per affected user in civil damages for businesses.
To be protected by the California data law, a consumer must be a natural person who is either in the state for other than a temporary purpose or who is domiciled in the state, but temporarily outside of the state (e.g. on vacation or business trip).
The new California privacy act protects only California residents.
Individuals who are simply passing through, on a brief rest or vacation, in the state to complete a particular transaction or perform a particular contract are deemed to be in the state for temporary or transitory purposes and will not fall under the California privacy law as a consumer, and hence not protected by the CCPA.
It is not enough to simply be located in the state when having one’s data collected by a business (e.g. tourists vacationing in the state).
The new California data law (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Personal information can include:
Even data that is not by definition personal information might fall under the category, if it can be inferred to create profiles that reflect a consumer’s “preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”
The new California privacy law effectively creates a whole new way of viewing data in the US.
Enforcement of the CCPA began in August 2020 with the approval of the final CCPA regulations.
If you haven’t already made your website compliant, now is the time to take action.
To be regarded as a business under the CCPA rules, a company has to meet one of the three following attributes:
CCPA privacy: California is the frontier of US data privacy law.
If your company seeks compliance with the California privacy law, this checklist will run you through the basic requirements necessary.
Here is a non-exhaustive CCPA compliance checklist to inform you of some of the key requirements.
When comparing the California privacy law (CCPA) to the European data regulation (GDPR), it becomes clear that though there are similar intentions and provisions, the two data privacy laws are very different.
Where the European GDPR protects anyone in the EU, the CCPA only protects California residents.
It is not enough to be located in the state at the time of collection or processing, according to the new California privacy law, you must have a permanent residency in the state in order to be protected.
The GDPR is focused on creating a “privacy by default” legal framework for the entire EU, whereas the CCPA is about creating transparency in California’s huge data economy and rights for its consumers.
For more, take a look at our comprehensive CCPA vs GDPR comparison.
If you have a company that falls under the CCPA privacy definition of a business, you are obligated to obtain compliance with the California privacy law, regardless of where in the world your company is based.
Cookiebot offers compliance with CCPA (and as always GDPR) for your company and its website.
California’s privacy law is called the California Consumer Privacy Act (CCPA) and is a state-wide law that governs the collection, use, sharing and selling of California residents’ personal information by businesses. It came into effect on January 1, 2020 and is enforced by the California Attorney General.
A business under the CCPA is any company or for-profit organization that have an annual gross revenue exceeding $25 million or derives 50% or more of its annual revenues from the selling of consumers’ personal information or buys, receives, sells or shares the personal information of more than 50.000 California residents, households or devices per year.
Personal information is defined by the CCPA as any kind of information that can directly or indireclty identify a living individual. This includes names, addresses, social security numbers, driver’s license, health data, location history, personal characteristics, religious beliefs, political convictions, sexual orientation and indirect identifiers such as website cookies, IP addresses, browser and search history.
Businesses who have websites that collect, share or sell personal information from California residents must inform users that they do so, as well as enabling them to opt out of third-party data sales and giving them the opportunity to access or have deleted already collected data.