It was in June of 2018 when California passed AB 375, a consumer privacy act which allows any consumer of California to demand and see all information that a company has stored on them, including a complete list of all third parties in which their data has been shared with. This law in California also allows the consumers to have the right to sue companies when there is a deemed violation of privacy guidelines, even though there is no breach.
Companies Affected by the CCPA
The CCPA affects all companies serving the residents of California, with at least $25 million in terms of annual revenue. They are required to comply with the law. On top of that, any company with personal data of a minimum of 50,000 people, or those that collect over half of their revenue coming from sales of personal data is also covered under this law. A company does not have to be California based, or have an actual presence in the state in order to be covered. In fact, they do not even need to be physically based in the US.
In April, an amendment was approved, providing exemption to insurance, agents, as well as support organizations, for the reason that they are already subject to regulations that are similar, under the Insurance Information and Privacy Protection Act (IIPPA) in California.
Complying with the CCPA
The CCPA took effect on January 1, 2020. Practically, companies were required to have data tracking systems set up in place at the start of 2019, giving consumers right in order to request data collected by the company throughout the past 12 months, which is quite a tight timeframe.
Companies are given 30 days to completely comply with the law when they are notified of a violation by the law. If this issue is neglected and not resolved, a fine that reaches up to $7500 per record can be expected. The number of records that may be affected by a breach may quickly increase.
There are some implications to this act. For example, there is a potential financial risk, as it provides the right for an individual to sue, allowing a class-action lawsuit for the damages. There is also a 30-day window that begins the moment the consumer provides written notice to a company, with the indication of their belief that their privacy rights were violated. If it is not solved, with the attorney general declines prosecution, a class action suit can be presented. This time, it is just about the breaches.
For instance, the law clarifies that companies need to come up with a clear and visible footer on their websites. These footers offer the consumer the option to avail of or opt out of data sharing. If a company fails to place this footer, consumers can easily sue them. The same thing can happen if consumers cannot find out how their information was collected, or receive copies of that information.
Data Covered by the CCPA
The law in California takes a broad approach as to what sensitive data constitutes the GDPR. For instance, among the things that are covered is olfactory information, including records and browsing history of the interaction of a visitor with an application or website.
The AB375 considers as personal information identifiers, which include the real name of a person, alias, unique identifier, postal address, email address, online identifier IP address, account name, driver’s license number, Social Security Number, passport number, and others.
Certain characteristics of the protected classifications under the federal or California law are also considered covered under personal information, including commercial data such as personal property records, services, or products purchased, as well as other buying or consuming tendencies or histories.
The act also covers biometric details, the internet as well as other electronic network information and activity which includes the browsing history, the search history, as well as information pertaining to the interaction of a consumer with a website, advertisement or an application.
AB375 also considers personal information geolocation data, electronic, audio, thermal, visual, olfactory, as well as information that is similar. This could also include employment-related or professional information, education information, which refers to the type of information which is not available publicly.
The CCPA is created with the goal of ensuring companies to allow their consumers to select not to have their personal data shared with other companies, including third parties. This only means that the companies will now be able to separate data collected depending on the privacy choices of a user. On top of that, even though a company will not be able to refuse equal service, it may usually provide incentives to users who give personal information. With this act, it seems like the state of California is working hard in defining a framework wherein customers can easily get paid to share their data.