CCPA – The California Data Protection Act
From a European point of view, the California Consumer Privacy Act (CCPA) certainly feels like a harmless variant of the GDPR. After all, we are used to tougher data protection laws. And I don’t just mean the GDPR. We already had very strong data protection laws at EU level, and especially in Germany.
The CCPA relates to the data of Californian citizens and came into effect on January 1st, 2020. It applies to all companies that operate their business (or parts of their business) in California and meet at least one of the three requirements:
- Annual sales exceed 25 million US dollars.
- Purchase, receive or sell personal information from more than 50,000 California households or more than 50,000 devices.
- More than half of annual turnover is generated through the sale of personal data.
It seems apparent that the intention of the new act is to force the big IT companies in Silicon Valley to improve data protection. Facebook, Google, Apple... all have their headquarters in sunny California - and clearly meet the criteria.
However, it is questionable whether the plan to affect the big ones will work out. In a highly acclaimed article on CCPA, Wired explains that Facebook, for example, doesn't really sell personal information, but converts the information into pseudonyms that advertisers then use to play targeted ads.
Either way, the CCPA feels like an earthquake to the US economy. The companies based there had hardly ever been bothered with such annoying things as data protection before.
New Rights for Californians
California’s citizens gain five major new rights as a result of CCPA. These are:
- The right to request information on the collection, use and sale of personal data in connection with the requesting consumer.
- The right to request a copy of any personal data collected during the 12 months before their request.
- The right to have such information deleted.
- The right to request that their personal information not be sold to third parties.
- The right not to be discriminated against because any of the above rights have been exercised.
Furthermore, under CCPA there is a right to claim damages, should personal data have been disclosed. In this point, the CCPA goes a step further than the GDPR. Fines imposed on the basis of European data protection laws always flow into the treasury.
The new legislative initiative: CPRA
With the U.S. presidential election at the end of 2020, California voted to solidify the CCPA with “Proposition 24” under the name: CPRA. It aims to give Californian users "the right to prevent the transfer of sensitive information". In addition, not only the sale but also exchange of data is to be understood as "transfer" in the future. For this purpose, a new authority is being planned, which will be in constant exchange with the California Department of Justice. Other reforms that could follow with the California Privacy Right Act include:
- Companies that process personal information of at least 100,000 consumers or households are subject to the CPRA.
- Similar to Article 9 of the GDPR, a new subcategory of personal information has been defined. High-risk data shall consequently be considered sensitive personal data.
- If data breaches involve juveniles aged 16 or under, the applicable penalties will be tripled.
However, the CPRA is viewed critically as well. For example, although users must be offered an opt-out option for the sale and sharing of their own personal data, it is not linked to the right to use the service. So, if users vote against data sharing, they can simply be excluded.
The CPRA is set to take effect in January 2023. Companies should gradually start to become aware of the changes and apply them, of course. Since other states in the U.S. have already followed California's example with the CCPA, it is very likely that this will also be the case with the CPRA.
CCPA and Encryption
The aforementioned damages can only be claimed if personal data has been disclosed in unencrypted mode. Here the CCPA is much more concrete than the GDPR, which only talks about technical and organizational measures. However, persons can also claim damages if the disclosed personal data was encrypted but the key was also disclosed. In this case the data would be visible in plain text. This means that the courts will ask exactly to what extent encryption keys were affected in a data leak.
In summary, companies can best protect themselves from fines by using true zero knowledge encryption.
How Can Boxcryptor Help?
Boxcryptor is an encryption software for teams and single users. The software encrypts data using a combination of the AES-256 encryption algorithm and RSA encryption before it is transferred to a cloud of choice. AES-256 is the U.S. government approved algorithm for encrypting classified data and is considered the standard for data encryption. With Boxcryptor, businesses and individuals can take an important step toward securing their personal and business information. We help you meet CCPA legal criteria, GPDR, and HIPAA requirements.
Intéressé par ce que nous venons de vous dire ?
Dans ce cas, rejoignez plus de 80 000 abonnés et inscrivez-vous à notre lettre d'information gratuite. Recevez des renseignements sur la confidentialité des données, des anecdotes portant sur les nuages, des conseils en matière de sécurité et des analyses de nos experts en cryptographie.