Although not the first state law to address data protection and consumer privacy, the passage of the California Consumer Privacy Act (CCPA) made the headlines in 2018 due to being closely modeled on the EU´s General Data Protection Regulation (GDPR).
The CCPA requires organizations with revenues of more than $50 million, organizations that buy, receive, or share the personal data of more than 100,000 Californian residents or households, or organizations that generate 50% or more of their annual revenues from selling or sharing personal information to implement and maintain reasonable security procedures and practices to protect consumer data.
The law also gives Californian consumers the right to know what data is being collected about them, the right to request data is deleted (subject to certain conditions), the right to opt-out of having their data sold, and the right to non-discrimination for exercising their rights. Organizations can be fined up to $7,500 per incident for non-compliance and be subject to a private right of action in the event of a data breach.
- Originally CCPA applied to organizations with revenues of more than $25 million, or that bought, received, or sold the data of more than 50,000 Californian residents or households, but the thresholds were increased by the California Privacy Rights Act (CPRA) in 2020, along with the inclusion of the terms “share” and “sharing” to reflect the distinction of selling data for money and sharing data for other commercial advantages.
The CPRA also extends data subjects´ “right to know”. Californian residents now have the right to request access to and correct personal information maintained about them, restrict the use of sensitive personal information, and opt-out of their data being used by automated decision making technology. Similar to GDPR, Californian residents also have the right to request that some or all of the personal information maintained about them is transferred to another entity.
Also similar to GDPR, CPRA includes regulations relating to data minimization, purpose limitation, and storage limitation. These regulations mean organizations may only collect data that is necessary and proportionate to the purpose of collecting the data. Data cannot be collected or used for purposes that are incompatible with previously disclosed purposes, and organizations cannot retain data longer than is “reasonably necessary” for each disclosed purpose.
Importantly, CCPA and CPRA apply to any organization located anywhere in the world (subject to the qualifying criteria above) that collects, stores, processes, sells, or shares the personal information of Californian residents – even if a Californian resident is not physically in California at the time data is collected. The application of the law also applies to qualifying contractors who provide a service on behalf of the organization collecting, processing, or sharing Californian residents´ data.
CCPA/CPRA Prompts Other States to Update Data Protection and Privacy Laws
Between the time CCPA was passed by the Californian legislature (2018) and enacted (2020), Nevada leap-frogged the Golden State with an update to its data protection and privacy laws in 2019. The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) is not as comprehensive as CCPA (with CPRA enhancements) but similar to CCPA/CPRA, it applies worldwide to qualifying organizations that collect, process, or store the data of Nevada residents.
Subsequently, in March 2021, Governor Ralph Northam signed Virginia´s Consumer Data Protection Act into law – an Act that provides similar data protection and privacy rights as California´s laws, but with more refinement. Other states with bills under consideration include:
- New York (NY Privacy Shield Act has passed House but not Senate yet)
A proposed federal data protection and privacy law has also recently been introduced. The proposed Information Transparency and Personal Data Control Act (ITPDCA) aims to connect the patchwork of state legislation in a similar way to CCPA/CPRA but without the private right of action available to individuals who have suffered harm as the result of a data breach. If passed, enforcement of the Act and compliance investigation will be assigned to the Federal Trade Commission (FTC).