California Consumer Privacy Act (CCPA): First Warning Letters Are Being Sent

Advertising, Business, Change, Digital, Law, Legal, Privacy, , , , , ,

The California Consumer Privacy Act (CCPA) went into effect on January 1st, but enforcement efforts were put on hold until July 1, 2020.  Now that the deadline has passed, CA AG Xavier Becerra has issued warning letters to companies over alleged violations as reported by MediaPost.

It’s the toughest law enacted in the U.S. so far dealing with online privacy and consumer rights, although there are more likely on the way.  84% of people report they want more control over the data and its use in a recent Cisco survey.  Other privacy laws have been passed in Maine and Nevada.  16 other states have laws currently under consideration.

Here’s a short synopsis of the CCPA and consumer rights that I published in December 2019 and how it differs from the EU’s General Data Protection Regulation (GDPR).

Businesses will be required to allow California residents to access or delete personal data from records.  In addition, businesses must allow residents to opt-out of being included in data-sharing arrangements or selling of their data.

GDPR-vs-CCPAIf you serve or employ California residents – regardless of where your business is physically located – CCPA will impact you.  Here are the five key areas you need to address in your strategic planning:

  1. How you collect and store data
  2. How you use or sell data to third-parties
  3. Individual’s rights to opt-out of data selling
  4. Compliance by third-party data processors
  5. Monitoring, tracking, and proactive remediation of security gaps and vulnerabilities

GDPR

The EU’s General Data Protection Regulation (GDPR) has already had a significant effect on companies doing business in the EU or doing business with EU residents.  It’s affected most U.S. based companies that have any reason to handle personally-identifiable data from EU citizens.

In effect for more than a year now, regulators have started handing out significant fines for non-compliance.  Notable fines against U.S. companies include a proposed $57 million fine against Google and a $123 million proposed penalty for Marriott.

 

 

There’s already a movement in California for stricter laws and larger penalties.  CPRA, the California Privacy Rights and Enforcement Act of 2020, has been filed to create a statewide ballot initiative in the fall.

The same group behind CCPA, Californians for Consumer Privacy is pushing the new effort.

What is CPRA?

CPRA would go even further in granting consumer rights than the current CCPA.  One of the main tenants is adding additional items, dubbed sensitive personal information (SPI) to the list of what is regulated.  They include collecting data such as:

  • Passports
  • Social security number
  • Driver’s licenses
  • Religion
  • Race
  • Union Membership
  • Personal communication
  • Genetic data and other health information
  • Information about sex life or sexual orientation

The ballot initiative also establish a consumer privacy agency to oversee it all, including $10 million from the California General Fund to staff and enforce the regulations.