Understanding the Impact of CCPA
The California Consumer Privacy Act (CCPA) came into effect on 1st January 2020 and is designed to protect the data privacy of residents in the state of California.
Hailed as “groundbreaking” in the US, the act is in fact far weaker than the policies of other countries and the expression “GDPR-lite” grossly overstates its scope as both the protections it offers and the organisations that it applies to are extremely limited. That said, for the few companies that will be affected it will be quite a shock.
The CCPA offers these protections to residents of California:
- The right for consumers to demand to see what data a company it holds on them
- The right to demand that the data is deleted
Companies will also have to display a mandatory link on their website allowing a consumer to prohibit that company from selling their data.
What Companies Are Affected By CCPA?
CCPA applies to:
- Companies that have revenues of more than $25m and 50% or more if that revenue comes from selling consumer data, or trade in more than 50,000 consumers’ data
- Californian citizens only
For which read Google, Facebook, Amazon and all those “data brokers” that clog up your browser with their tracking cookies.
Fines ranging between $2,500 to $7,500 can be levied on companies that break the law, but there are many exemptions.
How Does CCPA Compare to General Data Protection Regulation (GDPR)?
Although billed as the US (or rather, California’s) response to the European Union’s General Data Protection Regulation (GDPR), the legislation is far more limited, as the table below shows:
|Business Affected||Large Data Brokers Only||All Businesses|
|Data Breaches Covered||No||Yes|
|Data Collections Needs Legal Basis||No||Yes|
|Right to be Forgotten||No||Yes|
|Default Permission||Opt In||Opt Out|
|Maximum Penalties||$7,500||4% of worldwide revenues or €20m, whichever the greater|
Are UK Companies Affected By CCPA?
Unless you are trading in consumer data, have a turnover of more that £19m (at today’s rates) or hold and trade data on more than 50,000 people, you won’t be affected.
CCPA And CRM
Unlike GDPR, CCPA does not cover the safety or location of data storage, only allowing consumers to see what data is held and request for it to be deleted. As permission to collect (and sell) personal data is granted by default there is no need to collect and record individual’s consent to data collection.
It is unlikely that any of our customers will have to review their CRM usage, although if they are a large data broker they may need to set up processes to deal with requests to view and delete a consumer’s data – but for Californian residents only.