The California Consumer Privacy Act is a law in, well… California.
So why should you be worried about it if you don’t live there?
Since California has the fifth-largest economy in the world and has many citizens residing there, it would be hard to keep your internet dealings from touching the state. How it operates is similar to the GDRP, a European internet privacy law that follows EU citizens wherever they go, and as such the CCPA follows California residents wherever they go. To protect yourself from a lawsuit, you should be familiar with the CCPA and update your security policies as necessary.
One novel part of the CCPA is the anti-discrimination clause and associated astronomically high fines. When you use a free service such as Gmail or Facebook, you are not actually using a “free” service. These giant websites require lots of money to keep them running, and you are the way it keeps that money flowing.
Gmail and Facebook make money by collecting your information, making them into profiles, and selling them to advertisers so that they can target specific ads to you.
Have you ever seen an ad on a news website for something that you looked at on Amazon yesterday?
Under the CCPA, California residents have a right to opt-out of data collecting on the websites they visit and have a right to not be discriminated against by websites for opting out. In short, they cannot be stopped from using services for opting out. This is alarming for free online services as they are being threatened with a loss of profit. Will this be the death of free services? Only time will tell.
As stated earlier, the fines for violating the CCPA can be extremely expensive. The CCPA uses a statutory damages model, which is pretty common in the U.S. Typically, harm must be proven.
However, the CCPA actually circumvents this, and harm need not be proven. There is a set fine per incident or per person affected. For example, the California anti-email spam law provides for fines of $1,000 per email!
Now imagine what the fines would be for a data breach like the Equifax breach where 180 million people were exposed (yes, the CCPA covers data breaches as well). This not only incentivizes companies to protect their customers’ data but also incentivizes the attorney general to prosecute non-compliant companies.
I’ll explain more about the role of the attorney general in all of this in the next post in this series.