Share this article on:
On July 1, 2020, enforcement of the California Consumer Privacy Act (CCPA) of 2018 began. The CCPA took effect on January 1, 2020 and all companies covered by the Act were given a 6 month grace period before compliance with the CCPA would be enforced, although compliance with the provisions of the Act have been mandatory since January 1, 2020.
The grace period has now elapsed. California Attorney General Xavier Bercerra confirmed there will be no delay to enforcement, even though dozens of requests were made by companies and trade associations asking for the grace period to be extended for a further 6 months due to the 2019 Novel Coronavirus pandemic. The requests were acknowledged but no extension was given.
“Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” said Attorney General Bercerra in a statement to Forbes. “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”
Now that the CCPA has teeth it means that any violation of the CCPA from July 1, 2020 can attract a financial penalty of up to $7,500 per violation. If a company is believed to be in violation of the CCPA, a warning will be issued, and the company will be given 30 days to correct the violation or financial penalties and lawsuits may follow.
The CCPA introduced a swathe of new privacy protections for California consumers and many individuals outside of California, mirroring several of the rights introduced by the EU’s General Data Protection Regulation (GDPR). The CCPA applies to all companies that have over $25 million in annual revenue, companies that collect the personal information of more than 50,000 consumers, households, or devices, and any business that derives more than 50% of its annual revenue from selling the personal information of consumers.
The CCPA gives consumers in the state of California the right to know what personal information companies are collecting and the purpose for which data is being collected. No other personal data can be collected other than the data types covered by the consent given by consumers.
Companies covered by the act must have a banner on their website informing consumers about their rights, which includes the right to opt out and not have their personal data collected. Consumers can request all personal information collected by a company be deleted and companies must have a process in place to delete personal information if such a request is received.
The CCPA prohibits the sale of the personal information of minors under the age of 16 without their permission, and the sale of the personal information of minors under the age of 13 is only permitted with parental consent. The CCPA also prohibits companies from discriminating against consumers who choose to exercise their rights under the CCPA.
There is also a private cause of action, so consumers can take legal action against companies over breaches of their unredacted, unencrypted personal information and can claim $100 and $750.