What is the CCPA?

The California Consumer Privacy Act (CCPA) went into effect on January 1st 2020 and it has had a vast impact on businesses operating in California and throughout the U.S. With the rise of many tech giants such as Facebook and Apple in California, regulators have placed tech companies under intense scrutiny regarding customer data. Third parties working with tech giants have misused customer data on several major instances over the past few years. This has prompted legislators and regulators to make a comprehensive legislation to protect the rights of consumers: the CCPA.

How is the CCPA enforced?

Although the CCPA went into effect at the beginning of 2020, the California Attorney General couldn’t enforce it until July 1st 2020. It’s important for businesses to familiarize themselves with how CCPA works and avoid any financial and legal penalties associated with breaching it. A business is liable to face CCPA enforcement after not fixing a violation within 30 days of notification from the Attorney General. The Attorney General stated that the CCPA is additionally focused on protecting the data of minors and vulnerable individuals; this is because they are populations that are ill-equipped to understand the consequences of giving their data to corporations. The actual ramifications of violating the CCPA depends on what the company did with consumers’ data; this can include investigations, fees, revoking of certain permissions or closure of business.

GDPR vs. CCPA:

Many businesses are familiar with the General Data Protection Regulation (GDPR) and can associate CCPA to it. Although the two legislations have many similarities, there are several key differences:

  • Regional specificity: GDPR protects all data subjects within the European Union. This means that anyone who travels to within the EU will have their data protected and companies using their data must comply. This is different from the CCPA because it focuses on protecting the data of California residents instead of all data subjects within California.
  • Characterization of businesses: GDPR is far more strict than CCPA when it comes to classifying who is liable to violating the different legislations. With GDPR, any data controller that operates in the EU has to comply with GDPR. The data controller is defined as any entity that collects or processes data in the EU. This definition will encompass virtually all any individuals or businesses that work with data in the EU. In contrast, the CCPA only applies to:
    • Businesses with over $25 million in revenue per year
    • Businesses that derive fifty percent or more of its yearly revenues from the sale of personal information
    • Businesses that process the personal information of at least fifty thousand Californians per year
  • Penalties: The CCPA is still in its infancy and does not have as many penalties associated with it compared to GDPR. In regards to monetary penalties more specifically, the GDPR is exponentially more costly than the CCPA. The maximum penalty for the CCPA is $2,500 and international penalties can be up to $7,500. In contrast, the fines for violating the GDPR can be up to $20 million or 4% of the annual revenues of a business.

To learn more about the CCPA and how it can impact your business, talk to an expert here today.