The California Consumer Privacy Act is a revolution in the data privacy rights of the American people. Much like the GDPR in Europe, CCPA regulates how companies can capture and distribute data. America still has no federal law that governs the data rights of citizens. California has always been a leader in data privacy regulations, previously operating by CalOPPA. This is a potential starting point for new privacy regulations to be adopted nationally with more than 10 other states considering new laws regarding privacy.
CCPA came into force on the 1st of January this. For CCPA to apply only the user must be in California. The location of the data collector is irrelevant, they only have to be operational in California. This means any online service that fit the criteria of CCPA must make their intentions clear and allow Californians to opt-out of data collection from January 1st.
What This Means for App Users
This puts the control of private information in the hands of the user. Previously consent wasn’t needed to sell data to a third party. It allows control over what information is collected and holds the businesses responsible for any security breaches. Within the first 6 months of 2019 4.1 billion records were compromised in breaches, 3.2 billion of which were from just 8 cases.
Now users can have previously stored data deleted and permission must be granted by the user for the sale of data. Companies cannot discriminate the service provided based on the users’ data preferences.
What CCPA Means for You and Your App
CCPA has strict stipulations about when these practices come into play, if any of these 3-thresholds apply to your business then it’s time you pay attention to this new law:
- CCPA will apply to companies with over $25 million annual revenue.
- Companies that have more than 50,000 “consumers, households, or devices” data stored.
- Companies where 50% or greater of profits come from the sale of data.
If any one of these 3 applies to you then you should already be compliant. Due to these thresholds, it shouldn’t apply to most smaller companies.
Why These Thresholds?
These thresholds make a lot of sense and are fair to smaller organizations or those who aren’t making use of data collection for their own advantages.
The first point targets larger companies, most people would agree that if larger companies are collecting masses of user data then they have a responsibility to ensure its security. The Cyber Security Breaches Survey 2019 found that there was a rise in the number of cyber-attacks last year. Around a third of businesses overall reported attacks, but this rises to 60% for medium and 61% for large-sized business.
The second point minimizes the hoarding of data, it’s likely you’d make a point of safely deleting any unnecessary information on record that isn’t of use to avoid the CCPA threshold.
The last point regards companies that are exploiting data collection for profit. A company whose main income source is giving personal information to anyone who is willing to pay, is most likely a company you don’t want to have that information.
Exceptions to The Thresholds
If a smaller business is a service provider to a company that is above the limits set-out in the law, they too must comply. Any user information obtained from that partner company may be subject to the new law and by having access to it, you become liable. Businesses in these situations need to have methods in place that are capable of safely disposing of data or face some pretty hefty fines.
Currently minor infringements incur fines of $100- $750 per user. These fines are instances such-as a security failure that allows an unauthorized third party to advertise. These claims can be made as statutory damages through the civil court. Just 10,000 users making a claim and awarded the minimum amount will cost a million dollars in compensation. If the breach is rectified 30 days’ then no legal action can be taken.
Non-compliance with CCPA is going to cost far more than this. In accidental cases the charge will be $2,500 but rises to $7,500 for cases of deliberate non-compliance. This still doesn’t sound too frightening does it? Those figures apply per user, if you’re not complying with CCPA then it’s safe to assume you’re going to be paying for more than one breach. Ignoring CCPA for just 133 users is going to cost you nearly a million dollars.
You should already be monitoring where the data you have collected has been going. Californians now have the right to ask for data that was taken and who it was sold to. This backdates to January 2019. Now is the time to go searching and have it ready when someone comes asking!
Private data can’t be stored without prior permission. The company collecting the data must ask if the user would like to opt out – at, or prior to, the first point of data collection. Users under 16 are asked to opt-in rather than out. There must be a portal in-app that can process the opt-in/ out request of users.
Data that is covered by this act and must be protected includes – username, address, cookies, face/ voice recordings, location history, search history, health, sexual orientation, employment and finances.
Those who CCPA does apply to need to have a repository of all data that has been stored that can be issued or deleted upon request.
Watch this space…
2020 will be a big year for data protection in America as demand increases for a blanket policy that controls user privacy. Expect other countries to follow suit as the popularity of adopting a national law on data protection increases and the importance of user privacy becomes a near globally accepted notion.