Arriving only months after the EU released their data privacy update, GDPR, California passed The California Consumer Privacy Act (CCPA), providing similar protection to its residents regarding their personal data. Due to privacy leaks, scandals, and big data trends in recent years, privacy has emerged as a focal point in the world of tech, as consumers are becoming increasingly aware of the use and trade of their data.
The bill features two large privacy rights for California residents — both of which share close similarities to rights granted by GDPR in the EU:
Right to request:
1798.100. – A consumer shall have the right to request that a business that collects a consumer’s personal information disclose it to that consumer.
Right to deletion:
1798.105. (a) – A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
These rights allow for California residents to have greater control over how their data is handled in the future. For companies, data privacy compliance will prove to be of greater importance, mandating that all companies that control data must be capable of efficiently responding to access and deletion requests from users.
Beyond these rights for data subjects, users will also be protected by the law in case of cybersecurity threats, with the option to sue corporations over data breaches.
Ballot to Bill in a Month
The CCPA was finalized only a month after a similar ballot measure created by Alastair Mactaggart was approved for voting in November. After the CCPA passed, Mactaggart removed the ballot measure — which was designed with the same goals as the bill.
Some differences exist between the ballot and the bill, including that the bill can be amended by legislators until 2020 and beyond. In contrast, ballot measures once passed can only be changed with a vote from the entire state. Additionally, the ballot allowed for consumers to sue corporations over any part of the privacy law — while the bill allows for individuals to sue over data breaches, with the Attorney General enforcing all other provisions.
What is at stake
If businesses fail to comply with the regulation, fines of up to $7,500 will be imposed on each case. Eighty percent of this will go to the affected data subject while the remaining 20 percent will contribute to a new Consumer Privacy Fund. While this differs from 4% of global revenue or €20 million that GDPR enforces, consumers will be motivated to track and report instances of firms violating the California law. With this incentive, companies will be hard pressed to comply and ensure that customers are satisfied with their privacy.
The California Consumer Privacy Act has been amended several times since this article was originally published, most notably by the California Privacy Rights Act.
