Privacy protection for California residents
Similar to the European GDPR law, but with distinctive differences, the California Consumer Online Privacy Act (CCPA) was intended to protect consumer privacy rights for Califonia residents. The law came into effect on the first of January 2020. It affects all businesses serving California-based consumers. Government agencies and non-profit organizations are excluded from the CCPA ruling.
Giving consumers more control over their collected private information
The key purpose of the CCPA consumer privacy rights ruling is to enhance Californians’ more control of which personal information is collected. This includes:
- a right to know which personal information is collected and how it is used and shared
- a right to have personal information deleted (with some exceptions)
- an opt-out right of the sale of personal information
- a right to non-discrimination for exercising CCPA rights
The right to know as a cornerstone to consumer privacy rights
Under the right to know, a Californian resident can pursue his or her consumer privacy rights by demanding information about the categories of personal information collected, which third parties the business shares the info with, from which sources the collection happened, and the commercial purpose of the personal data gathered.
Deletion of personal information with some exceptions
A request to delete personal information must be fulfilled within 45 days of submitting the appeal to remove the data, free of charge. Exceptions to not comply with the deletion are: to complete a transaction, providing a good or service demanded by the consumer, legal obligations, to prevent or detect fraudulent or illegal activity, or when the personal information collected is in the public interest of historical and scientific research.
The right to opt-out to stop selling personal information
The right to opt-out means you can explicitly ask a business entity to stop selling your personal information. Once you request to opt-out, an organization can not sell your information unless you authorize them again to do so. Moreover, they will have to wait for a 1-year minimum before asking you to op back in again. A company`s privacy policy must contain a Do Not Sell My Personal Information link on their website.
Non-discrimination when exercising consumer privacy rights
As for the right to non-discrimination, a business may not deny you any goods or services or provide a different quality, nor can they charge you higher prices. However, if you decide to exercise your consumer privacy rights by opting-out, the company can exclude you from offering promotions and deals. This exclusion can only happen if the financial incentive on offer is reasonably related to the value of collecting your personal information.
Personal information is anything that links to a particular consumer
Under CCPA, personal information is outlined as data that identifies, describes, or links to a particular consumer or household. As such, it includes but is not limited to: a real name, an alias, a postal address, a unique personal identifier (PID), an IP address, an email address, an account name, a social security number, a driver’s license, a passport number, or similar identifications. On the other hand, publicly available information does not classify under personal information.
Differences between GDPR and CCPA
While both the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) significantly improve consumer privacy rights, there are distinctive differences to note. The CCPA law applies to all for-profit businesses, while GDPR includes non-profit, public entities, and individuals as far as they reach out to consumers in the European Union. The former protects only consumers, but GDPR does not differentiate between B2C (business to business) or B2C (business to consumer).
File a lawsuit in case of a breach
Another important distinction relates to the security requirements. As to comply with GDPR, both controllers and processors need to implement appropriate security methods in case of breaches. The CCPA ruling does not specify any security requirements but does allow consumers to file a lawsuit in case of personal harm due to insufficient security practices.
Highest privacy rights protection precedes
As other states in the USA apply or are working on different laws in case of data breaches, this could lead to conflicts with the CCPA law. The principle followed in such cases is that the ruling that protects consumer privacy rights the most will precede.