California’s California Consumer Privacy Act of 2018 (CCPA) has gone into law and will take effect in 2 years. This is just like the law it’s based on, the European Union’s General Data Protection Regulation (GDPR). While CCPA is based on GDPR, it doesn’t share GDPR’s punishing bite when it comes to the penalties that can be levelled against the perpetrator. While GDPR can force a company to pay up to 4% of its global income, while CCPA imposes $750 per consumer per incident (so $375,000 for 500 violations) though companies can also be fined up to $7,500 per individual violation of the CCPA. These fines are in addition to the fines that can be levied through California’s Unfair Business Practices Act. CCPA defines personal information as anything that could directly or indirectly link a person or household but this excludes anything that has been made publicly available. “Publicly Available” in this case means information that has been released through Federal, State, or Local government information programs and not something that can easily be found online. CCPA is also different in its scope from GDPR, in that it’s really only going after large-scale companies and data users. Companies must be for-profit, have made a revenue of $25 million or more, handle (sell, process, or buy) the data of 50,000 or more consumers, OR get at least 50% of their income through working with personal data.
CCPA includes similar disclosure clauses to GDPR, in that companies must let consumers know how and why their data is being used as well as allowing them to opt out of use at any time. Businesses may not sell or handle the data of anyone under the age of 16 unless that consumer has explicitly opted-into the sale of their data. There is not a requirement for opt-in under CCPA, unlike GDPR which requires that any data collected must be positively agreed to and done so with actual consent when possible. CCPA allows for companies to offer compensation for the collection and use of personal data, which will allow companies to offer goods and services for data instead of being forced to do so without any compensation. This is a divergence from GDPR where companies are not allowed to offer compensation for personal data and must provide their services without discrimination to those who don’t want to provide their data. This “lack of discrimination against those who don’t opt-in” is the focus of several cases that have been brought against Facebook, WeChat, Instagram, and Google that allege that those companies do not freely collect consent or allow those who don’t agree to provide their data to still use the services provided by those companies.