What is CCPA?
The California Consumer Privacy Act is a revolution in the data privacy rights of the American people. Much like the GDPR in Europe, CCPA aims to regulate how companies can capture and distribute your data. America still has no federal law that governs the data rights of American citizens. California has always been a leader in data privacy regulations, previously operating by CalOPPA. This is a potential starting point for new privacy regulations to be adopted nationally. More than 10 other states are in the process of considering new laws regarding privacy.
CCPA came into force on the 1st of January this year to protect the data of the Californian people. Only the user must be located in California for CCPA to apply. The physical location of the company collecting data is irrelevant, they only have to be operational in California. This means any online service that fit the criteria of CCPA have to make their intentions clear to any user from California and allow them to opt-out of data collection from January 1st.
What This Means for App Users
So, what does this mean for the app users of California? It puts the control of private information back in the hands of the user. They have the right to stop a company from selling their data to a third-party. This has previously been going on without ever needing consent. It allows control over what information is collected and holds the businesses collecting data responsible for any breaches in security. Within the first 6 months of 2019 4.1 billion records were compromised in data breaches, 3.2 billion of which were from just 8 cases.
Now users can have previously stored data deleted and permission must be granted by the user for the sale of their data. Companies cannot discriminate the service provided based on the users’ data preference.
What CCPA Means for You and Your App
CCPA has strict stipulations about when these practices come into play, the majority of apps on the market won’t fall into these categories. But if any of these 3-thresholds apply to your business then it’s time you pay attention to this new law:
- The first instance in which CCPA will apply is to companies with over $25 million annual revenue.
- The second states that the company must have more than 50,000 “consumers, households, or devices” data stored.
- The last condition is that 50% or greater of profits come from the sale of data.
Below these and it doesn’t come into effect. If any one of these 3 applies to you then you should already be compliant with CCPA. Due to these thresholds, it shouldn’t apply to most smaller companies.
Why These Thresholds?
These thresholds make a lot of sense and are fair to smaller organisations or those who aren’t making use of data collection for their own advantages.
The first point targets larger companies, most people would agree that if larger companies are collecting masses of user data then they have a responsibility to ensure its security. The Cyber Security Breaches Survey 2019 found that there was a rise in the number of cyber-attacks last year. Around a third of businesses overall reported attacks, but this rises to 60% for medium and 61% for large-sized business.
The second point minimizes the hoarding of data. If you can avoid being affected by CCPA by reducing the number of data sets that are stored, then it’s likely you’d make a point of safely deleting any unnecessary information on record that isn’t of use.
The last point regards companies that are exploiting data collection for profit. If you knew a service, you were using was making more than half of its profit from selling information on its users… would you still use it? A company whose main income source is giving personal information to anyone who is willing to pay, is most likely a company you don’t want to have that information.
You’re probably now either relieved this won’t affect you… or you’ve stopped reading to look at implementing CCPA compliance within your app.
Exceptions to the Rule
There are still circumstances in which CCPA will still apply to businesses that are technically below these thresholds. If a smaller business is a service provider to a company that is above the limits set-out in the law, then the smaller business will need to comply. Any user information obtained from that partner company may be subject to the new law and by having access to it, you become liable. Therefore, businesses in these situations need to have methods in place that are capable of safely disposing of data.
Act quickly if your app is currently available for downloaded in California or face some pretty hefty fines.
Currently minor infringements will fall on a spectrum of fines between $100 and $750 per user. These fines are less severe than those that are issued for non-compliance with CCPA. These smaller fines are instances such-as a third-party that has been able to advertise to the consumer due to failure of a security measure. These claims can be made by anyone whose data has been breached in accordance with CCPA as statutory damages through the civil court. Clarip made the point that just 10,000 users making a claim after a breach (assuming they were only awarded the minimum amount) will cost a million dollars in compensation. 30 days’ notice will be given in these cases before legal proceedings commence. If the problem is rectified in this timescale, then no legal action can be taken by the consumer.
Non-compliance with CCPA is going to cost far more than this. In accidental cases the charge will be $2,500 but rises to $7,500 for cases of deliberate non-compliance. This still doesn’t sound too frightening does it? Well those figures apply per user that has had their data breached. If you’re not complying with CCPA then it’s safe to assume you’re going to be paying for more than one breach. Those fines mount up fast. Deliberately ignoring CCPA for just 133 Californian users is going to cost you just shy of a million dollars.
Now that CCPA is in place you should be monitoring where the data you have collected has been going. Californians now have the right to ask for data that was taken and who it was sold to. This backdates to the start of 2019. Now would be the time to go searching and make sure you have it ready when someone comes asking!
Private data can’t be stored without prior permission. The company collecting the data must ask if the user would like to opt out at, or prior to, the first point of data collection. Users under 16 must be asked if they would like to opt-in rather than out. There must be a portal in-app that can process the opt-in/ out request of users.
Data that is covered by this act and must be protected includes username, address, cookies, face or voice recordings, location history, search history, health, sexual orientation, employment and finances.
Those who CCPA does apply to need to have a repository of all data that has been stored that can be issued upon request. If a consumer requests deletion of their data, you must have processes in places to safely delete all stored data.
The Future of User Privacy
2020 will be a big year in America for the rights of the consumer when it comes to data protection. It is expected that some other states will follow the lead of California as demand increases for a blanket policy that controls privacy in the US, just as the GDPR does in the EU. California could be the first of many to have adopted this rigorous stance on privacy in 2020.
People should think positively of these advancements in user protection. Here at Kumulos we welcomed the introduction of GDPR and have been fully compliant since its initiation. CCPA is no different, new ways of protecting consumer data and ensuring safer practice for app users are always welcomed. We’re committed to data protection and privacy and enjoy seeing more government authorities introducing measures to protect the rights of the people. Hopefully CCPA is the first step towards a US-wide policy.
If privacy is a concern of yours when working with companies, or you’d like to find out more about Kumulos and what it can do to help improve the user experience of your app, book a demo today and see how we take data protection seriously.