The California Consumer Privacy Act (CCPA) – Part 3

In this third and final article discussing CCPA, I’ll explore how CCPA is supposed to be enforced, how CCPA compares to the European Union’s GDPR, and I’ll wrap up with some final thoughts about the law and what it means for Californian citizens. Part 1 discusses how CCPA came to be, and Part 2 describes the scope, definitions, and the rights CCPA gives to California residents.

Enforcement

Privacy advocates are generally pleased with how CCPA will be enforced. First of all, CCPA calls for the creation of the California Privacy Protection Agency (CalPPA) as an “independent watchdog whose mission is to protect consumer privacy” to “ensure that businesses and consumers are well-informed about their rights and obligations” and to “vigorously enforce the law against businesses that violate consumers’ privacy rights”[1]. It also calls for a special fund called the “Consumer Privacy Fund” to be created to handle costs to the State associated with enforcing CCPA. CCPA further allocates a small percentage of apportioned funds to be distributed by CalPPA in the form of grants to non-profits and public agencies that promote and protect consumer privacy, and that educate children about online privacy. State and local law enforcement agencies will also receive funds to support cooperative efforts with international law enforcement to aid in combatting online fraud and associated data breaches[2].

Penalties for violations of CCPA are significant, as well. Intentional violations will be fined $7,500 for each instance, and violations that are unintentional and/or the result of negligence on the part of the business in question will be fined $2,500 for each instance[2]. There is a “safe-haven” clause that allows businesses a 30-day window to “cure” noncompliance, but it is uncertain whether or how much the California attorney general will limit the use of this clause. Given the potentially large dollar values involved for violations, and the anticipated uncertainties in how the new law will be interpreted, the American Bar Association has published a “practice point” which suggests there will be a significant rise in privacy litigation in California, some of which will involve jurisdictional challenges and challenges to the delegation of regulatory authority to the California attorney general[3].

Comparing CCPA and GDPR

Although many have compared CCPA to the EU’s GDPR, there are some significant differences. For example, GDPR not only considers specific data points like name, age, and address, but it also includes “contextual” information that can indirectly identify a person, including items like screen names, device IDs, physical, commercial, or cultural information that has not been anonymized[4]. CCPA does not go so far as that, but it does go further than any other privacy legislation in the United States in that it not only includes a broad definition for “personal information,” but it also includes a definition for “aggregate consumer information,” which refers to information that relates to a group or category of consumers[2].

Other differences include the GDPR requirement for a Data Protection Officer, an individual within an organization who is the steward for data protection implementation. CCPA has no such requirement and places much of the burden for detecting compliance on the consumers it is supposed to protect. CCPA does protect California residents, even if the business in question is based outside of California state borders, but GDPR applies to anyone within the EU at the time of data collection. In other words, an American vacationing in France would be protected by GDPR for the duration of their stay. Additionally, GDPR does not have thresholds associated with a business’ revenues akin to those required before CCPA kicks in. All companies that process the personal data of individuals in the EU are subject to GDPR, regardless of the size of the company or of what percentage of their business revenues are generate by data harvesting or usage[5].

Still, there is some merit to the comparison between GDPR and CCPA, if only for the fact that both represent landmark strides to protect the rights of individuals as pertains to data collected about them and how it is used.

Final Thoughts

Given how much technology innovation is generated within California’s borders, it should come as no surprise that its laws would reflect a heightened awareness of how those technologies impact individuals. CCPA is just the latest example of this in action. It is also an example of how a few individuals can achieve positive for impact millions through their determination to enact changes for the social good. Alastair Mactaggart and a handful of like-minded individuals did just that, exercising their democratic rights to put an initiative on the California ballot. As word of their objectives spread, others, in Sacramento and elsewhere, rallied to help. CCPA is the result, and as of January 2020, nine other states were considering similar privacy laws[6].

While some privacy advocates hold that CCPA does not go far enough, the fact that the American Bar Association is on alert for an increase in privacy litigation in California[3] reflects the fact that CCPA is a significant departure from “business as usual” in the handling of personal data by businesses. There are also indications that federal privacy laws may be created in the not-too-distant future[7]. It seems unlikely that a federal law would be as encompassing as GDPR, or even of CCPA, but taken as a whole it seems clear that personal privacy and the rampant use of personal data as a commodity is on the minds of many Americans.


References

[1] L. F. de la Torre, “What is the California Privacy Protection Agency?,” Golden Data, Nov. 05, 2020. https://medium.com/golden-data/what-is-the-california-privacy-protection-agency-24fab5dd4d13.

[2] “Cal. Civ. Code § 1798.100 – 1798.199.100,” California Legislative Information. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.

[3] S. A. Sargent and J. P. Webb, “California Consumer Privacy Act: A Practice Overview,” American Bar Association, Apr. 12, 2020. https://www.americanbar.org/groups/litigation/committees/corporate-counsel/practice/2020/california-consumer-privacy-act-a-practice-overview/.

[4] D. Sirota, “California’s new data privacy law brings U.S. closer to GDPR,” TechCrunch, Nov. 14, 2019. https://techcrunch.com/2019/11/14/californias-new-data-privacy-law-brings-u-s-closer-to-gdpr/.

[5] K. Bernadini, “CCPA vs GDPR | Key differences in the legislation,” Nov. 04, 2020. https://www.gdpreu.org/ccpa-vs-gdpr/.

[6] G. Edelman, “The Fight Over the Fight Over California’s Privacy Future,” Wired, Sep. 21, 2020. https://www.wired.com/story/california-prop-24-fight-over-privacy-future/.

[7] L. Hautala, “CCPA is here: California’s privacy law gives you new rights,” CNET, Jan. 03, 2020. https://www.cnet.com/news/privacy/ccpa-is-here-californias-privacy-law-gives-you-new-rights/.

Leave a Reply

Your email address will not be published. Required fields are marked *