The California Consumer Privacy Act (CCPA) is a privacy or data protection law. It gives effect to the right to privacy in the California Constitution. The CCPA grants a consumer various rights regards their personal data. These include the right to know what personal information is being processed. The right to delete personal information and the right to opt-out of the sale of personal information.
There are CCPA Regulations that go with the Act.
Who must comply with the CCPA?
Only a limited number of organisations need to comply. It is essentially only very large businesses or businesses that make money off personal information. A business only needs to comply with the CCPA if it:
- has annual gross revenues exceeding $25,000,000,
- processes, for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or
- derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The commencement date of the CCPA
The CCPA commences on 1 January 2020 with a six month grace period before the Attorney General will bring any enforcement action. The CCPA will undergo some changes before the enforcement date on 1 July 2020. The final draft should be released shortly before that date.
The California Senate proposed certain amendments to AB-713, which amends the CCPA, on 11 June 2020. They first introduced AB-713 in 2019 and this will be the new revised version. However, both houses need to pass these amendments before they become law. AB-713 addresses de-identification and information used for research and public health purposes. This is particularly relevant given the COVID-19 pandemic.
However, the new AB-713 amendment will add new contractual requirements for the sale or license of de-identified patient information. AB-713 will also expand on the existing exemption in the CCPA. The first AB-713 proposed an exemption related to patient information for research purposes. The new amendment will broaden the scope of research activities that the exemption includes.
The relationship between the CCPA and other Data Protection Regulation
The different Data Protection laws overlap in many respects but there are nuances to each. For example, a business that is required to comply with both the CCPA and GDPR will find that compliance under one will not necessarily meet the requirements under the other. This is particularly relevant in the instance of the United States of America as each state begins creating its own Consumer Privacy Acts. The CCPA was the first and the Washington Privacy Act will be soon to follow.
Businesses that trade data across state and country borders will need to ensure they comply with all data protection regulation requirements. When the Federal COPRA comes into effect it will supersede the CCPA in terms of any conflicts unless the CCPA affords greater rights to the consumer than COPRA.