CCPA – All you need to know in 5 minutes

As of January 1, 2020, California has introduced its own mini GDPR, also known as the California Consumer Privacy Act (CCPA). A first step in the right direction for data protection, which has caused great concern, especially among the many data-driven tech companies throughout the state of California.

A “Do not sell my personal information” link is now mandatory on many websites. And this is only the beginning of a new American data protection movement, as the law is constantly being expanded and more US states want to follow suit.

But who does the new law actually concern? What does it mean for anyone in Europe? And most importantly, how do CCPA and GDPR differ? We have compiled the most important information.

The company must do business

1. in California
2. have a total turnover of over 25 million US dollars (before taxes)
3. collect more than 50,000 data records from California residents per year
4. generate half of its turnover from the sale of users’ personal data

Important to know: CCPA was approved in June 2018 and came into effect on the 1st of January 2020. At the moment, however, there is still a kind of grace period for companies, as the law is currently being expanded and amended. It is expected that regulations will take serious effect from July 1, 2020, and the law will be enforced with the utmost consistency. 

Only Californian citizens or households fall under the protection of the CCPA. Unlike the GDPR regulations, which apply across national borders. 

Important to know: There is no standardized data protection law in the United States – as for instance in the EU. Any data protection laws that do exist refer to specific areas (such as the health sector) or – like the CCPA – to individual states.

Both the GDPR and the CCPA are extraterritorial laws. Therefore, they also apply outside the territory of the country or state in which they were introduced. Companies that do business in one of these European member states or in the American state of California and process user data must comply with rules and regulations.

To be clear: if a European citizen visits a US California website, the GDPR regulatory framework will apply.  

If a Californian citizen surfs a website of a company in the EU, both the CCPA and the GDPR apply to this website user.

However, this is only the case if it can be argued that the respective offer is also directed at users outside the home market. Important: In the event of uncertainty, one should orient oneself to the stricter law, i.e. the GDPR regulations, and enforce it for all visitors.

The CCPA is in essence merely a consumer protection regulation, whereas the GDPR regulates the subject of data protection more comprehensively. For example, the GDPR  regulations also apply to the B2B sector. Overall, CCPA is considerably more unspecific. Concrete regulations such as the obligation to appoint a data protection officer as stipulated in the GDPR are not provided for in the CCPA regulatory framework.

The biggest difference between the CCPA and the GDPR is the use of personal data: 

In order to be allowed to collect user data and subsequently pass it on in accordance with the GDPR, the website operator must have collected the user’s prior explicit consent (opt-in). 

The CCPA, on the other hand, is based on the opt-out principle. To be CCPA-compliant, a company’s website must contain a clearly visible link with the wording “Do not sell my personal information” so that the user can actively object to the disclosure and sale of personal information.  

Explicit consent must be obtained for the transfer of data for children between the ages of 13 and 16. In the case of children under 12 years of age, consent of their legal guardians must also be obtained. Since it cannot be ruled out that some websites may also have visitors under the age of 16, one should play it safe and obtain an opt-in for everyone, which is again in line with the GDPR regulatory approach.

The GDPR handles child protection with a little more rigour: the processing of personal data is generally only permitted here from the age of 16 onwards. If the child is younger, the consent of a parent or guardian must be obtained.  

However, GDPR contains an opening clause whereby Member States may also reduce the age limit to 13 years. Germany, however, does not make use of this provision; Austria, for example, does. This is a theme that companies operating throughout the EU must keep in mind.

First party cookies, which collect personal data, e.g. regarding user behaviour on a website, fall within the jurisdiction (scope) of the CCPA. Excluded from this regulation are Essential cookies, which only serve to enable the Essential processes on a website. 

The interpretation of the law with regard to third party cookies is currently still unclear. For example, within the scope of the CCPA, the sharing of user data with third-party advertising providers or the use of third-party analysis tools, e.g. for retargeting measures, can also be interpreted as “selling data”

If a user does not want to be tracked, her or she can now take advantage of the legally required Opt-Out option under the CCPA regulations. This means that his or her Data can neither be used nor passed on.

But what exactly does this mean for website operators?

Considerable loss of advertising revenues- unless the website operator obtains the explicit consent of the user, via a CCPA-compliant Consent Management Platform (CMP), legally remaining on the safe side. 

The CCPA reinforces the following four basic website user rights:

• The right to receive full information

The user can request a full report from a company or organisation at any time (retrospectively for 12 months) on what data was collected and stored, when and for what purpose.

Interesting: According to the CCPA, the collection of personal Data cannot be objected to by the user- which differs when in comparison with GDPR regulations. However, the processing or sale of Data can be prohibited with (“Do not sell my personal information”).

• The right to delete 

The website user has the right to request the deletion of his or her personal Data. 

• The right to equal treatment

There can be no disadvantage to the website user when he or she decides to assert  rights under the CCPA. This non-discrimination principle ensures that, for example, the user may not be shown higher prices than users who have consented to the processing of their personal data.

• The right to data transferability

The user can request access to his or her personal data from a company at any time. The company must then send it to the user within 25 days in a portable and technologically simple-to-transmit format so that it can be transferred to other companies.

While severe fines of up to 20 million euros or 4% of annual turnover are awaited for violations of the GDPR, the CCPA provides for much milder penalties. 7,500 USD are fined for an intentional violation of the data protection obligation. However, the company has 30 days to correct its mistake towards the website user. A 2.500 USD fine can be imposed for violations.

Eye Opening: In the event of Data loss or Data theft, a statutory compensation of 100,000 USD to 750,000 USD per user and incident can be the case. Data breaches can quickly add up to millions of losses, especially for large companies.

If a company wants to process data from Californian website users in a data protection-compliant manner, a CCPA-compliant Consent Management Platform is essential. Not only to minimize the risk of fines, but also to be legally on the safe side when obtaining, managing and optimizing user consent and opt-outs. Because only transparent Consent Management enables sustainable marketing.

Protect your advertising revenue and make Data protection your competitive advantage. Ensure your website is CCPA compliant today – quickly, easily and individually. Contact us, we will be happy to advise you!

Disclaimer

Please note that this article does not constitute legal advice. Please contact your lawyer for any legal questions.