Blog Layout

The California Consumer Privacy Act – CCPA

Gordon Povey • 27 September 2018

Oh no, more data privacy legislation is coming! The California Consumer Privacy Act (CCPA) will kick in on 1st January 2020. For many of us the key questions are; what is the difference between CCPA and GDPR, and will it affect me?

The short answers are that it has similarities to GDPR but is different in several aspects, and secondly – in theory it should only really affect you if you are a citizen of California, or if you are a large company that processes personal information that includes one or more citizens from California. However, its reach will be much broader than this since companies are unlikely to adopt different policies exclusively for their Californian customers.

I am going to elaborate on these points, but still want to keep it short and so have generalised a little – you can read about it in more detail from the links I will give at the bottom.

How will CCPA affect us?

Most individual citizens may not notice much impact from CCPA, even as it comes near to the enforcement date. We may see a small email storm but less than we suffered for GDPR. The reason for this is that CCPA is largely based on opt-out rather than GDPR’s opt-in.  American citizens (especially those in California) are likely to see more activity prior to implementation. For most of us, we will be told that service terms & conditions are being updated, but then this happens regularly anyway and few of us read these before agreeing.

After implementation one change we may observe is the appearance of opt-outs regarding the sale of data – a “Do Not Sell My Personal Information” option as default – you will need to select this in order to opt-out. In addition, those aged 13-16 should automatically be opted out and so “I am over 16” might also be ticked as a default. Those under 13 will require parental consent to allow their data to be sold. Interestingly a company could sell the information of a minor without consent if they do not have “actual knowledge” that the consumer is under 16 so it will be interesting to see how this will be interpreted in practice.

In the short-term it is companies with Californian customers that will be most affected. However, the Act only applies to companies of a certain size (turnover of $25 million or more), or that hold personal information on more than 50,000 consumers (or devices). Thus, it will be large companies, most of whom will already have dealt with GDPR compliance, that will be most affected. It is likely that these companies will develop policies for customers that jointly covers GDPR and CCPA.

So, will citizens benefit from CCPA? If we are already under GDPR then I can see little if any benefit. If you are subscriber to services that do not need to be GDPR compliant (e.g. a US citizen who’s personal information is held in the USA) then CCPA can give you GDPR-like rights and benefits regarding the use of your Personal Information. However, CCPA is not the same as GDPR and in many ways it is weaker.

The main differences between CCPA and GDPR

Who it applies to: CCPA only applies to citizens of California, and of course it will apply to companies that hold personal information on any citizen of California and so it will have global impact. GDPR applies to companies operating in the EU, it also applies to companies that hold or process data on EU citizens so GDPR has a greater global impact.

What does it apply to: The Act applies to “personal information”. The definition is quite wide and similar to GDPR but slightly wider in the sense that if “households” can be identified from the data then it is considered “personal information” even although an individual is not identified.

Who is regulated: CCPA only applies to larger for-profit companies that process or hold significant “personal information”. The company will have a turnover of above $25 million; or process/hold personal information of 50,000 or more individuals, households or devices; or make more than 50% of revenues from selling personal information. Any business that is not in California and does not use information on the states citizens is completely exempt. GDPR on the other hand applies to almost all companies (no matter the size) that use personal information in the EU or related to EU citizens.

What rights does it give: Consumers protected by CCPA are entitles to be given notice about the categories of information being collected and the business purpose for which it is being collected, plus any intention to sell this information with the option to opt-out of this sale. Note that CCPA relies on an opt-out policy, whereas GDPR is opt-in. The customer has the right to be told what type of information is being held, although in practice this might be a boilerplate list. The customer may request that their personal information is deleted (and there are a few exemptions to this) so this is similar to, but not quite the same as, GDPR’s ‘right to be forgotten’. CCPA has no direct equivalent to GDPR’s data portability i.e. the right to request a copy of your personal information. To comply a company only needs to disclose information about what has been collected over the last 12 months but the Act does not seem to provide an explicit right to obtain a full copy of the actual data itself. All customers must be treated equally under the Act meaning that a request made under the Act cannot be used as a reason to alter any terms or pricing for that customer.

Penalties:  Under CCPA damages of $100-750 per consumer per incident are applicable. For GDPR the penalties can be Up to €20 million, or 4% annual global turnover – whichever is higher. So, although different, both can apply severe penalties.

Read more …

This has been a very superficial look at CCPA, but hopefully its conciseness makes it useful and readable. Here are a couple of articles that provide more detailed information that I found useful in trying to understand CCPA.

by Gordon Povey 12 March 2020
Better Internet Search Ltd has a license to use the 1-timeline technology developed by Trisent. They have just announced that the second alpha version of their alternative search engine is to be launched on 18th March. This version includes general web searches plus news, images, video, maps and shopping. The development has been supported by […] The post Better Internet Search – Alpha 2 appeared first on Trisent.
by Gordon Povey 9 March 2020
Did you know that as a small business owner, you are one of the primary targets for cyberattacks? Cybercriminals are everywhere, and there are more and more ways in which they can prey on you. We all have vulnerabilities, and we can all be victims, but that doesn’t mean that we should just lay in […] The post How to Protect Your Small Business from Cyberattacks appeared first on Trisent.
by Gordon Povey 4 October 2019
New start-up company, Better Internet Search Ltd, is revealed through an article in the Herald. The new company is based on technology developed by Trisent Ltd. The post Better Internet Search Ltd is announced. appeared first on Trisent.
by Gordon Povey 6 September 2019
Trisent is looking for talented software developers to join and exciting project. A full-stack developer is needed immediately and they are also looking for skills in a number of other areas too. The post Hiring Software Developers Now appeared first on Trisent.
by Gordon Povey 25 July 2019
Currently, the predominant business model for commercial search engines is advertising. The goals of the advertising business model do not always correspond to providing quality search to users The post Search engine bias is particularly insidious appeared first on Trisent.
by Gordon Povey 1 March 2019
TRISENT is strengthening its collaboration with Edinburgh Napier University through two student projects supported by the Erasmus Programme. Two final-year students from Spain are coming to Edinburgh in March as part of the European Erasmus Programme. They will both be working with Trisent Ltd and Edinburgh Napier University on Proof-of-Concept projects which demonstrate the benefits that […] The post Trisent is to benefit from the European Erasmus Programme appeared first on Trisent.
by Gordon Povey 5 February 2019
This is a guest blog post by Jack Warner of TechWarn. The French government bids farewell to Google and adopts Qwant. At the end of last year, the French National Assembly announced that they are not going to use Google anymore. All the devices belonging to the French government will adopt a new search engine […] The post Goodbye Google, Hello Qwant! appeared first on Trisent.
by Gordon Povey 19 December 2018
Blockchain and smart contracts cannot be inherently trusted – they must establish trust in the architects, the coders the participants, and anyone involved in the implementation and operation of the system. However, the transparency and consensus mechanisms built into the technology are a significant aid to building that trust. The post Can blockchain solve the problem of trust? appeared first on Trisent.
by Gordon Povey 29 November 2018
In 1998 a colleague introduced me to the Google search engine and as a result I made the shift from my previously preferred search engine, Alta Vista, to Google. Twenty years on, despite trying many others, I still use Google regularly. I was delighted by the Google experience 20 years ago, but today I dislike Google search for several reasons. However, I have yet to find a noticeably better alternative. The post When will Google’s search engine monopoly be broken? appeared first on Trisent.
by Gordon Povey 1 October 2018
For those not familiar with the ‘Filter Bubble’, the term was coined by Internet activist Eli Pariser around 2010 and refers to a state of intellectual isolation resulting from personalisation applied to the delivery of web content. The suggestion is that users become separated from information that disagrees with their viewpoints. This effectively isolates individuals within their […] The post Avoiding the Filter Bubble appeared first on Trisent.
More posts
Share by: