What is the CCPA about?
In contrast to the EU, there is no uniform data protection law in the USA. Because of federalism in the United States, existing laws are limited to individual areas or states.
The same applies to the CCPA. The data protection law introduced on January 1.1.2020, 1.7.2020 (and enforceable from July XNUMX, XNUMX) is limited to the state of California. This particularly affects Silicon Valley. Hardly any other state in the USA collects and processes more data than here.
Above all, it is intended to strengthen the rights of consumers with regard to their personal data.
For which companies is the CCPA important?
The CCPA becomes relevant for companies that have a business (a branch or sales office is also sufficient) in California and one or more meet the following requirements:
- Collect more than 50.000 personal data per year
You must collect more than 50.000 data from California-based consumers, households, or their devices. This means that this also includes smart devices from the IoT.
- Annual gross income greater than $ 25 million or
- 50% (and more) of sales are generated with the sale of personal information from consumers
The legal text of the CCPA is as follows:
"(...) that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($ 25,000,000), as adjusted according to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derivatives 50 percent or more of its annual revenues from selling consumers' personal information (...). "
Based on these requirements, it becomes clear that it will affect one or the other company.
What needs to be considered?
There are a variety of obligations that the CCPA imposes. For example, handling marketing cookies without opt-in is possible in certain cases. For people aged 16 and over, the processing of cookies is permitted without consent. For people under 16 years of age, they must actively agree and for people under 13 years of age, parents must agree.
However, it also applies here that an explicit reference to the opt-out option must be given. In this respect, the cookie banner already known in Germany will also be introduced in the USA.
Does the GDPR apply before the CCPA?
If both laws apply to you, you must also observe both laws. In this respect, you should urgently ask your data protection officer whether he has already dealt with the new CCPA. Because here too there are fines. Above all, it can be expected that the Californians will crack down on violations of fines.
Does a fine have to be paid twice?
Most likely yes. For violations of the CCPA, companies must pay $ 7.500,00 (negligence will reduce the amount to $ 2.500,00). If your data protection violation also falls under the GDPR, a further penalty can also be expected in Europe.
It is noteworthy (and dangerous) for entrepreneurs that 20% of the sanctions go to a special California fund that will fund state prosecution of CCPA violations. Expectations of CCPA violations can therefore be expected to grow exponentially.
If your company meets one of the above requirements, you should urgently check whether your company (or the branch) meets the requirements of the CCPA. The legal text of the CCPA suggests that the fines can be imposed in each individual case. This means that, for example, 100 website visitors with an incorrect / missing cookie notice can incur fines of between $ 250.000,00 and $ 750.000,00 (different between intent and negligence).
Should you have any questions about the CCPA, our is at your disposal Lawyer Stephan Hendel gladly available.