On July 1, 2020, implementation of the California Consumer Privacy Act (CCPA) of 2018 started. The CCPA was already effective starting on January 1, 2020, however, all businesses covered by the Act were granted a 6 month grace period to comply with the provisions of the CCPA.
Since the grace period has now passed. California Attorney General Xavier Bercerra stated that enforcement will not be delayed, even if companies and trade associations have requested to extend the grace period for another 6 months because of the 2019 Novel Coronavirus pandemic. The requests were acknowledged however there is no extension given.
Attorney General Bercerra stated that because of the new reality created by COVID-19, there’s a heightened value of securing consumers’ privacy online. Businesses should be notably mindful of data security in this emergency situation.
At this point, the CCPA has power which means that any violation of the CCPA starting July 1, 2020 can receive a financial penalty of approximately $7,500 per violation. When an organization is thought to have violated the CCPA, a notice will be issued, and the organization will be allowed to have 30 days to resolve the violation, otherwise, there might be financial penalties or lawsuits.
The CCPA presented a swathe of new privacy protections for California and non-California residents, copying a few of the rights launched by the European General Data Protection Regulation (GDPR). The following businesses fall under the CCPA:
- businesses that have more than $25 million in annual income
- businesses that collect the personal information of over 50,000 buyers, families, or devices
- any company that gets over 50% of its annual revenue from selling the personal information of consumers
The CCPA provides end-users in the state of California the right to find out what personal information businesses are gathering and the intent for which data is being gathered. No other personal data can be gathered except with the consent given by users.
Businesses covered by the act should have a banner on their site providing information to consumers regarding their rights, which consists of the right to decide not to have their personal data gathered. Consumers can ask all personal information gathered by a business to be erased and companies should have a system in place to remove personal information when requested.
The CCPA forbids the vending of the personal data of individuals under the age of 16 without their authorization, and the sale of the personal information of children under the age of 13 is just allowed with parental permission. The CCPA additionally does not allow businesses to discriminate against end-users who decide to exercise their rights under the CCPA.
There is likewise a private cause of action, therefore consumers can file a case against businesses that violate their unredacted, unencrypted personal data and can claim $100 and $750.