The CCPA (California Consumer Privacy Act), starting January 1, 2020, is also considered as “California’s GDPR” by many. Since the CCPA act has been proposed, many companies are racing against time to update their privacy policies and systems.
Thousands of businesses, which collect personal data of California residents, their households and devices, will be impacted by the new requirements of CCPA.
Please note: The information provided in this article is informational in nature. It does not constitute and is not a substitute for legal advice.
Who exactly is covered by CCPA?
The CCPA applies to any commercial entity (for-profit) which is doing business in California that collects, shares, or sells California consumers’ personal data, and:
- Has annual gross revenues in excess of $25 million; or
- Collects and stores personal information of 50,000 or more consumers, households, or devices; (e.g. Websites which sells and collect leads online, Forums, e-commerce sites, etc.) or
- Earns more than half of its annual revenue from selling consumers’ personal information. (Digital Marketing, Tele-Marketing, Marketing Agencies, etc.)
So, if your website or business collects or uses personal data from California residents and meets any of the above criteria, it is very likely subject to CCPA.
While CCPA itself doesn’t clearly define what it means by the statement “doing business in California,” other legal standards like GDPR suggest that most of the websites which operate online will easily meet this threshold or will meet in the course of business. It doesn’t mean that you need to have operations or employees in California.
CCPA also applies to any business entity that owns, is owned by, or shares common branding with a parent holding business. That makes the reach of CCPA far-reaching.
CCPA Vs GDPR: Is CCPA any different from GDPR?
Conceptually at many levels, CCPA is very similar to GDPR, however, it has some differences:
CCPA does not specifically give consumers the right to rectify inaccurate personal data, object to processing or restrict processing personal data. In a way, it provides somewhat limited rights for consumers to access and delete personal data.
However, CCPA requires businesses to:
- Disclose to consumers – That they share or sell personal information
- Add an option for website visitors to indicate – “Do Not Sell My Personal Information option on the website.”.
- Provide a phone number (toll – free) for consumer requests
- Collect consent to sell data from any consumer under 16, or from a parent or guardian for any consumer under 13
- Treat customers equally on service and price, regardless of whether they have exercised their rights under the law
These additional requirements require additional action to be taken by affected businesses, that may have already worked for GDPR compliance.
What are the penalties under CCPA?
CCPA provides users, whose personal information has been compromised via data breaches, the right to penalize businesses, with penalties up to $750 per user per violation. These statutory damages can be significant: A single breach affecting 50,000 California customers could yield $37.5M in statutory damages alone. These damages can be pursued via class action litigation. Moreover, consumers are not limited by the statutory amount, if they are able to show actual damages are greater from such a violation.
This right of action is applicable, however, only in cases where the business failed to follow “reasonable practices and procedures” to avoid the data breach.
The law also provides a 30-day cure period for noticed violations. A cure period usually means – a period specified in the Agreement for fixing any breach. A business thus can avoid statutory penalties by fixing the breach within the period. However, the term “cure” is not clearly defined in the law. Usually, with breaches of private data, the consumer would have already been affected. Hence, it’s not entirely clear how a business could “cure” such a data breach when the data has already been leaked.
In case of violations, the California Attorney General may seek additional penalties of up to $2,500 per violation, or up to $7,500 for each intentional violation. The AG may also seek an injunction against a company, it believes to be violating CCPA, which could lead to the closure of the business.
Is there any Free WordPress Plugin for CCPA?
WPLegalPages WordPress Plugin Generates Policy Notices for CCPA which can be used as a quick way to help websites to comply with disclosures. The templates are also updated as per the latest CCPA changes. For a customized CCPA policy using a help wizard, there is also a Pro Version.