California Consumer Privacy Act (CCPA)
What it is about, who it concerns, what needs to be observed and what fines are imminent.
In contrast to the EU, there is no uniform data protection law in the USA. Because of federalism in the United States, existing laws are limited to individual areas or states.
The same applies to the CCPA. The data protection law introduced on January 1.1.2020, 1.7.2020 (and enforceable from July XNUMX, XNUMX) is limited to the state of California. This particularly affects Silicon Valley. Hardly any other state in the USA collects and processes more data than here.
Above all, it is intended to strengthen the rights of consumers with regard to their personal data.
The CCPA becomes relevant for companies that have a business (a branch or sales office is also sufficient) in California and one or more meet the following requirements:
The legal text of the CCPA is as follows:
"(...) that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($ 25,000,000), as adjusted according to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derivatives 50 percent or more of its annual revenues from selling consumers' personal information (...). "
Based on these requirements, it becomes clear that it will affect one or the other company.
There are a variety of obligations that the CCPA imposes. For example, handling marketing cookies without opt-in is possible in certain cases. For people aged 16 and over, the processing of cookies is permitted without consent. For people under 16 years of age, they must actively agree and for people under 13 years of age, parents must agree.
However, it also applies here that an explicit reference to the opt-out option must be given. In this respect, the cookie banner already known in Germany will also be introduced in the USA.
If both laws apply to you, you must also observe both laws. In this respect, you should urgently ask your data protection officer whether he has already dealt with the new CCPA. Because here too there are fines. Above all, it can be expected that the Californians will crack down on violations of fines.
Most likely yes. For violations of the CCPA, companies must pay $ 7.500,00 (negligence will reduce the amount to $ 2.500,00). If your data protection violation also falls under the GDPR, a further penalty can also be expected in Europe.
It is noteworthy (and dangerous) for entrepreneurs that 20% of the sanctions go to a special California fund that will fund state prosecution of CCPA violations. Expectations of CCPA violations can therefore be expected to grow exponentially.
If your company meets one of the above requirements, you should urgently check whether your company (or the branch) meets the requirements of the CCPA. The legal text of the CCPA suggests that the fines can be imposed in each individual case. This means that, for example, 100 website visitors with an incorrect / missing cookie notice can incur fines of between $ 250.000,00 and $ 750.000,00 (different between intent and negligence).
Should you have any questions about the CCPA, our is at your disposal Attorney Stephen Hendel gladly available.
Your comment
Participate in discussion?Leave us your comment!