2018 became the year when everybody talked about GDPR – a new European set of rules, which regulates processing principles of the European citizens’ data. Adoption of this law was widely discussed within the political, economic, commercial and public sectors all over the world. GDPR was seen as something unprecedented. However, it is not really all that unique anymore. More and more analogs of GDPR appear in the world. For instance, recently a similar regulation has been developed in India. The United States are the next in line. California followed the European example and approved its own law, which governs the rules for working with personal data of users – California Consumer Privacy Act (CCPA).

Developed this summer, CCPA will come into force on January 1, 2020, which means we still have about a year to prepare for the new regulation.  

Law Coverage

The new Californian law is not nearly so severe as the European directive, but still implies many changes for business. Every Internet user in California will get the right to request from a company information that it has collected about him/her and a list of third parties to whom the data has become known. Based on this law, the user can now sue an organization that used his/her personal data improperly.  

CCPA covers the activity of companies that process personal data of Californian residents (within the state and outside of it) and receive a minimum of $25 million annual income. If a company has less income, but stores personal data of more than 50 thousand people, its activity also falls under the CCPA. The new law also regulates the activities of organizations, which receive more than half of the profit (no matter how large) from the disposition of personal data.

Personal Data

Under the definition of ‘personal data’ falls any identifiers, biometrics, geolocation, history of the Internet activity and information about employment or education. In general, this could be any data that can help identify a person. However, the law contains some pretty vague definitions. Any information that allows creating users profiles (psychological or behavioral, or any other) can be considered as personal data.

Users’ Rights

According to the regulation, a user gets a “traditional” set of rights, to which belong:

  • Right of Access. A user can send a request and get all the information that the company has collected about him;
  • Right to be Forgotten. A user may request to remove information about himself from the company’s servers and servers of third parties;
  • Right to Know. Upon request, the company must disclose the purposes of collecting personal data and their sources;
  • Right to Refuse. Users may refuse to transfer their data to third parties.

Here arises an important difference between the CCPA and the GDPR. According to the European directive, the company needs to obtain the user’s consent to processing of personal data. Under Californian law, an organization should only process requests from users they don’t have to get any primary permission.

If personal data was lost or stolen, the company will have to pay between $100 and $750 to each user.

If a user has sent to a company a complaint about a violation related to his personal data, the company is obliged to resolve the problem within a month. Otherwise, it must pay a fine of around $7,500. However, according to the CCPA, companies are not obliged to disclose the facts of violations if they have not received a corresponding request from users.

System of Rewards

There is one interesting detail – the law prohibits companies from discriminating against users who refuse to provide their personal data. However, it also implies the possibility of introducing a reward system for those who have agreed.

Formally, this means that companies can make a discount to those who share their data with third parties and set different prices for users with different privacy settings.
This creates not only an interesting technological precedent but also a cultural one. The CCPA creates new rules, according to which companies can buy information from users that they previously received for free.

Predictions for the Future

Officially, the law comes into force on January 1, 2020. But as soon as it starts its action, the company should immediately be able to provide users with the data collected from them within the last 12 months. Accordingly, the deadline for implementation of all necessary technological solutions comes in effect a year earlier – that is, on January 1, 2019.

With the emergence of this approach, we can expect the uprise of the first lawsuits on the very first day of the directive, as was the case with GDPR and various claims to Facebook and Google.

As the law passed so hastily, within only two weeks, many predict that it will be modified in the near future. However, there is no certainty about how significant the changes will be. The key points are likely to remain intact. Thus, the CCPA is the first step towards a completely new understanding of information security in the USA and the alteration of many practices that have been considered basic and unchanged for many years.