What are California's Privacy Laws? And How to Comply With CCPA
January 9, 2023
share this article:
It all leads back to GDPR. If you aren’t in the know on GDPR you better get informed in a hurry as data privacy laws are expanding on a global stage. The General Data Protection Regulation (GDPR) was passed into law in May 2018. In June of that year, California's privacy laws were passed and came into effect on January 1, 2020.
Previously, there were no clear data privacy laws in the US. Tech companies could be sued for violating antitrust laws or lying to consumers, but there was no legal basis for protecting personal data. Data collection went virtually unregulated, and multiple attempts at legislation failed.
Through initiatives and referendums, citizens of many US states can place new legislation. In 2017, Alastair Mactaggart, a California-based real estate developer concerned about data privacy, circumvented the normal process to avoid California's tech lobby.
The Facebook Cambridge Analytica scandal broke the following year, and data privacy hogged the headlines. If the initiative made it onto the ballot, the tech lobby and legislators worried that a 70% majority would be required to change the law since it seemed sure to be passed. They then passed their version.
What is the CCPA?
The California Consumer Protection Act (CCPA) is similar to the GDPR, granting California consumers rights over how their personally identifiable information (PII) is collected, stored, and used by businesses.
The CCPA regulations guide the implementation of the act. Consumers now have the right to see all personal information a company has on them, how it is used, and the third parties with whom the data is shared. In addition, customers can sue companies if their privacy is violated, whether there is a breach or not.
Businesses must notify the consumer of the types of data they will collect at the time of the request and provide the information they've collected upon request. A business has 45 days to respond and 12 months to provide the requested information.
Consumers have the right to delete personal information collected about them (with some exceptions). Businesses are not required to provide an online form for data deletion, so consumers may have to assert this right by telephoning or emailing. Once received, companies have 45 days to respond to requests (they can extend this period by 45 days if they send a notice to that effect.)
Consumers can opt-out of the sale of their personal information. By default, children under 16 are protected from the sale of their information and must opt-in to have their personal information sold. If under 13, a parent or guardian must give explicit consent on the child's behalf.
The legislation further guarantees consumers may not be discriminated against for exercising their CCPA rights. Businesses cannot change the quality of products or services or charge different prices if the consumer exercises any of their rights. But incentives like discounts can be offered in exchange for a consumer's personal information.
What data does CCPA cover?
According to the act, data covered by the act is defined as any information which can identify or relate to or might be linked, whether directly or indirectly, with a particular consumer or household.
Apart from the obvious like your name, email address, driver's license number, passport, and social security number, PII also includes biometric data (including the outline or face shape, the image of the iris, digital fingerprints), purchase and browsing histories, voice recordings, geolocation data, and your IP address, and the profiles that advertisers like Google build on consumers.
The CCPA originally included employee and consumer data, but a subsequent amendment exempts employee data from the regulation.
Have annual global gross revenues of over $25 million;
Receive, sell or buy the PII of 50,000 or more California residents;
Acquire at least 50% of their revenue each year from selling the personal information of Californians.
Or handle personal data from more than 4 million consumers or share a brand with an affiliate covered by the CCPA.
Since the US lacks a national data law, and California is its largest state, the CCPA's repercussions have been felt all over the US, with major tech companies like Microsoft announcing that the changes it had made to comply with California's privacy laws would apply to all users in the US.
Whether a company has its base or a physical presence in the state is immaterial. Because the CCPA has extraterritorial reach, they do not have to be based in the US to be subject to the act.
Who is Exempt from the Regulations of the CCPA?
Other businesses and organizations within the US are also not subject to the regulations of the CCPA, including non-profits and government agencies.
An amendment to the act exempts "insurance institutions, agents, and support organizations," which are already subject to similar regulations under California's Insurance Information and Privacy Protection Act (IIPPA).
Financial institutions and financial services companies that are governed by the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Act (CalFIPA) are also exempt from the provisions of CCPA.
Information on warranty and recall in all industries is all not subject to the act.
Biomedical studies subject to the “Common Rule” Federal Policy For the Protection of Human Subjects and clinical trial information is not covered by the CCPA.
PII collected under the auspices of the Fair Credit Reporting Act (FCRA) are also not covered by the CCPA if the FCRA has authorized the collection of such.
Data processed by the Driver’s Privacy Protection Act of 1994 (DPPA) is exempt from the CCPA.
How is CCPA compliance enforced?
The California Attorney General enforces CCPA compliance. Individuals cannot sue businesses for CCPA violations, except in the case of a data breach that has resulted in the theft of non-encrypted, non-redacted personal information. But individuals can register a consumer complaint with the Attorney General's office if they believe a business has violated the CCPA. The Attorney General may then launch an investigation and take legal action.
What happens if my business is not compliant?
The penalties for non-compliance are high. Once regulators notify them of a violation, companies have 30 days to comply. If the company fails to act within 30 days, the Attorney General might take civil action, including imposing an injunction and a civil penalty of $2,500 for each violation. If the violation is considered intentional, that might rise to $7,500 for each violation.
What other privacy laws are there in the USA?
Several states have been working on their privacy legislation since California's privacy laws came into being. As of June 2021, privacy legislation was in committee in Illinois, Massachusetts, New York, North Carolina, Pennsylvania, and Texas. In addition to California, comprehensive consumer laws have been enacted in Colorado, Virginia, Connecticut and Utah.
The US is a patchwork of rules, with no generally applicable federal privacy law except concerning children. Under the Children's Online Privacy Protection Act (COPPA), federal requirements govern online information collected from children under thirteen. Also, at a federal level, consumer privacy is protected under the Federal Trade Commission (FTC) via regulation of unfair competition. Deceptive practices or acts are covered under Section 5 of the FTC Act.
There are also sector-specific privacy requirements (e.g., about the financial sector, telecommunications sector, healthcare providers, and rules applicable to using credit reporting information).
Domestically, financial data is protected under different regulations on banking data, credit reporting, and financial privacy. Health data is the domain of the Health Insurance Portability and Accountability Act (HIPPA).
Meanwhile, the Freedom of Information Act allows the public to request the disclosure of information held by public agencies. However, public agencies do not need to disclose certain types of information that fall under one of the act's exemptions. Suppose any information under one of the nine exemptions is contained in part of a document, video, audio, or image. In that case, agencies need to redact such information before sharing them with the public.
Video Redaction Software for CCPA Compliance
Redaction means censoring or obscuring a part of a file (text, audio, image, document, video.) Before a file is released, redaction should be performed to hide information contained within for security, legal or compliance purposes.
Hiding information in a single image is easy, but not when thousands of images or video footage exist. People, faces, vehicles, audio, license plates, healthcare records, identity card, and financial and other confidential information such as symbols and logos must all be obscured by blurring or pixelating.
Video redaction tools enable even someone without video editing experience to easily create redacted versions of video files without affecting the original file so that CCTV surveillance and other footage are compliant.
Shield Your Consumers' Data with Sighthound Redactor
How can you stay on top of California's privacy laws?
Businesses can't afford to expose themselves or their customers' data. If they do not secure their business's data management system and certify that they have met all state law requirements, they face huge penalties. With affordable monthly subscriptions and free onboarding, don’t let cost and time be an excuse.
Sighthound Redactor offers smart video redaction solutions for businesses, local and state government enterprises, healthcare, education, law enforcement agencies, and manufacturing, financial, and banking industries. With several deployment options that fit the quantity and quality of videos businesses capture, there is sure to be a solution that can be personalized to any business needs.
Redact Customer Faces with Sighthound Redactor
Businesses should start planning for what will eventually be global industry standards for consumer data privacy standards and be ready to comply when new privacy regulations become more widespread. In today's information-driven world, an organization that cannot manage its data will cease to exist. The only way to ensure a future in the market is to safeguard data, become proactive in privacy legislation awareness, and understand the various options for data redaction solutions.
To find out more about how Sighthound Redactor can save time, money, and stress in making your business compliant, contact us today!