CCPA – The New California Data Protection Act
From a European point of view, the California Consumer Privacy Act (CCPA) certainly feels like a harmless variant of the GDPR. After all, we are used to tougher data protection laws. And I don’t just mean the GDPR. We already had very strong data protection laws at EU level, and especially in Germany.
The CCPA relates to the data of Californian citizens and becomes effective on January 1st, 2020. It applies to all companies that operate their business (or parts of their business) in California and meet at least one of the three requirements:
- Annual sales exceed 25 million US dollars.
- Purchase, receive or sell personal information from more than 50,000 California households or more than 50,000 devices.
- More than half of annual turnover is generated through the sale of personal data.
It seems apparent that the intention of the new act is to force the big IT companies in Silicon Valley to improve data protection. Facebook, Google, Apple... all have their headquarters in sunny California - and clearly meet the criteria.
However, it is questionable whether the plan to affect the big ones will work out. In a highly acclaimed article on CCPA, Wired explains that Facebook, for example, doesn't really sell personal information, but converts the information into pseudonyms that advertisers then use to play targeted ads.
Either way, the CCPA feels like an earthquake to the US economy. The companies based there had hardly ever been bothered with such annoying things as data protection before.
New Rights for Californians
California’s citizens gain five major new rights as a result of CCPA. These are:
- The right to request information on the collection, use and sale of personal data in connection with the requesting consumer.
- The right to request a copy of any personal data collected during the 12 months before their request.
- The right to have such information deleted.
- The right to request that their personal information not be sold to third parties.
- The right not to be discriminated against because any of the above rights have been exercised.
Furthermore, under CCPA there is a right to claim damages, should personal data have been disclosed. In this point, the CCPA goes a step further than the GDPR. Fines imposed on the basis of European data protection laws always flow into the treasury.
CCPA and Encryption
The aforementioned damages can only be claimed if personal data has been disclosed in unencrypted mode. Here the CCPA is much more concrete than the GDPR, which only talks about technical and organisational measures. However, persons can also claim damages if the disclosed personal data was encrypted but the key was also disclosed. In this case the data would be visible in plain text. This means that the courts will ask exactly to what extent encryption keys were affected in a data leak.
In summary, companies can best protect themselves from fines by using true zero knowledge encryption.
How Can Boxcryptor Help?
Boxcryptor is an encryption software for teams and single users. The software encrypts data using a combination of the AES-256 encryption algorithm and RSA encryption before it is transferred to a cloud of choice. AES-256 is the U.S. government approved algorithm for encrypting classified data and is considered the standard for data encryption. With Boxcryptor, businesses and individuals can take an important step toward securing their personal and business information. We help you meet CCPA legal criteria, GPDR, and HIPAA requirements.
Did you like what you read?
Then join over 80.000 subscribers and sign up for our free newsletter. Get our monthly info on data privacy, cloud stories, security tips, and insights from our crypto experts.