The year 2018 kicked off with the buzz around GDPR. It has rolled out recently in May 2018 affecting almost every small and big company that is dealing directly or indirectly with the personal data of the residents of Europe.
Well, the recent incidents of personal information misuse by large analytics, political campaigning companies scandal and the hack of location tracking data have given a push to the concerns over data privacy and protection.
These concerns about data privacy have led to the introduction of many privacy protection laws. In the list of privacy protection laws comes the California Consumer Protection Act, which is proposed to safeguard the rights of the consumers, whose data is collected by various means by companies/traders/portals.
Let us now explore the California Consumer Protection Act which is one of the propositions of the ballot.
What is California Consumer Protection Act?
This is an act proposed by Ballot, which, once passed will allow the people to know about the information which is collected by different companies. This ballot measure will grant consumers the following principal rights:
- To ask the companies to identify the personal data of the consumer, collected by them
- To demand not to sell or share the personal data for business purposes
- To sue the companies violating the law or experiencing data breaches
Let us now explore some of the key features that are included in the proposed act of California Consumer Protection.
Key Inclusions of the CCPA
1. Right to know what personal information is collected by the companies:
It is the right of the consumer to request a business entity to disclose the information which is collected by them. It shall also disclose the different categories of personal information that it has collected about the consumer.
2. Right to know if the personal information is sold or disclosed and to whom:
This right describes the consumers’ right, to request the business to disclose the information that is being used by the business either for selling or disclosing it for any other business purpose. It includes the disclosure of the following:
- Categories of personal information being sold by the businesses about the consumer along with the identity of the third parties to whom any such information was sold.
- Categories of the personal information that the business disclosed about a particular consumer for any business purpose along with the identity of the person to whom the information was disclosed.
- Categories of information that the business has either sold or not sold, it has to disclose that fact to the consumers. Further, if the business has either used that information or not used it for any business purpose, it shall also disclose that fact.
3. Right to deny the sale of personal information:
This right may be referred as the right to opt out. It elaborates that customer shall have the right to demand a business selling the personal information of the consumer to not to sell the personal information. The respective businesses shall provide a notice to the consumer regarding the sale of their personal information and that the consumers have full right to opt out. Also, the business which has been directed by the consumer to not to sell the consumer’s personal information shall be prohibited from doing so, until the consumer provides the authorization expressing the consent regarding the sale of the consumer’s personal information.
4. Right to equal Service and Price
This right safeguards the consumers against discrimination from the businesses. The discrimination might be caused either due to the consumer request for their personal information or may be due to consumer’s request not to sell their personal information. This might include denial of goods or services to the consumers, charging different rates for goods or services, providing a different quality of goods or services to the consumer or suggesting that consumer will receive a different level of service or goods, if consumer exercises consumer rights, under this act.
5. Easy compliance with Right to know and disclosure requirements:
Under this right, a business shall make available for the consumers two or more designated methods for submitting requests for information to be disclosed. The methods could include a toll-free phone number or if the business owns a website, then a web address. It is required by the business to disclose and deliver the information demanded by the consumer free of charge within a specific time of receiving a verifiable request from the customer. The following are the inclusions:
- The information to be delivered through either consumer’s account with the business, if consumer maintains an account with the business, or by mail or any other digital means at the consumer’s wish if the consumer doesn’t maintain an account with that business. The business shall not ask the consumer to create an account with the business, in order to make a verifiable request. In such case, the business can associate the information provided by the consumer in the request form with the previously collected information about the consumer and identity by category(ies) of the personal information collected about the consumer in the preceding 12 months.
- It requires businesses to identify the category or categories of personal information sold by the businesses in the preceding 12 months. To provide the accurate names and contact information of the third parties to whom the information was sold in the previous 12 months.
- The businesses shall provide accurate names and contact information of the third party/ies to which the consumer’s personal information was disclosed for any business purpose in the preceding 12 months.
- The businesses shall disclose the information regarding the selling or disclosure of information of the consumer in preceding 12 months in the privacy policy online or if the business doesn’t have any such online policy, and then it should update the information at least once in every 12 months. The business shall also let the consumer know in case it has not sold or disclosed the personal information of the consumer in the preceding 12 months for any business purpose. Also, the businesses should ensure that individuals handling consumer inquiries should be aware of the different clauses of the California Consumer Protection Act and business compliance with this act.
- The categories of personal information include real name, aliases, postal address, email, account number, commercial information, biometric data, internet or other electronic network activity information, professional information, etc.
CCPA is for whom?
This act is proposed only for the residents of California. This implies that if a person from Los Angeles visits the city of New York wouldn’t be covered under this ACT. Also, it is likely that if a company is doing business in the U.S. won’t be able to avoid the law, if passed.
Is CCPA similar to GDPR?
Not exactly, but the California Consumer Privacy Act once passed, will require the consumers to request an opt-out for data collection rather than the GDPR’s opt-in stance on the consent.
Wrapping up:
The California Consumer Protection Act will give the liberty to the consumers to opt-out from letting the companies use their personal information. As noted, the penalty of the consumer data breach will amount from $750 to $7500 per violation. Companies will be given 30 days to fix any such problem related to either consumer or state lawsuits.