CCPA – The California Data Protection Act

From a European point of view, the California Consumer Privacy Act (CCPA) certainly feels like a harmless variant of the GDPR. Companies that comply with the GDPR have so far only had to make minor adjustments for processing personal data in California. However, the CPRA, a more concrete version of the CCPA, will change this as of January 1, 2023. We have broken down the details for you.

Who does the CCPA apply to

The CCPA relates to the data of Californian citizens and came into effect on January 1st, 2020. It applies to all companies that operate their business (or parts of their business) in California and meet at least one of the three requirements:

• Annual sales exceed 25 million US dollars.
• The company purchases, receives or sells personal information from more than 50,000 California households or more than 50,000 devices.
• The company generates more than half of its annual turnover through the sale of personal data.

It seems apparent that the intention of the new act is to force the big IT companies in Silicon Valley to improve their data protection. Facebook, Google, Apple... all have their headquarters in sunny California - and clearly meet the criteria.

However, it is questionable whether the plan to affect the big ones will work out. In a highly acclaimed article on CCPA, Wired explains that Facebook, for example, doesn't really sell personal information, but converts the information into pseudonyms that advertisers then use to play targeted ads.

Nevertheless, the CCPA feels like an earthquake to the US digital industry. The companies based there had hardly ever been bothered with such annoying things as laws on data protection before.

New Rights for Californians

California’s citizens gain five major new rights as a result of CCPA:

1. The right to request information on the collection, use, and sale of personal data in connection with the requesting consumer.
2. The right to request a copy of any personal data collected during the 12 months before their request.
3. The right to have such information deleted.
4. The right to request that their personal information not be sold to third parties.
5. The right not to be discriminated against because any of the above rights have been exercised.

Non-Discrimination Principle

The Non-Discrimination Principle, in particular, has caused a great deal of turmoil. In the U.S., it is much more common than in Europe to match data before someone can get a job contract or take out insurance. And data also plays an important role in healthcare. A 2019 study matched the predictions of a health care algorithm with real-life data and found a massive disadvantage for black patients. The CCPA now provides the legal basis for a lawsuit in such cases.

Damage Compensation

Additionally, there is a right to claim damages, should personal data have been disclosed. In this case, the CCPA goes a step further than the GDPR. Fines imposed on the basis of European data protection laws always flow into the state coffers.

Data Protection Declaration

The CCPA imposes an easy-to-solve requirement on companies with the obligation to update their privacy statements every 12 months. For consumers to check this at a glance, the privacy statement must be dated.

From January 1, 2023: CPRA

With the U.S. presidential election at the end of 2020, California voted to solidify the CCPA with “Proposition 24” under the name: CPRA. It aims to give Californian consumers "the right to prevent the transfer of sensitive information". In addition, not only the sale but also exchange of data is to be understood as "transfer" in the future.
For this purpose, a new authority is being planned, which will be in constant exchange with the California Department of Justice.

Other reforms that follow with the California Privacy Right Act include:

• Companies that process personal information of at least 100,000 consumers or households are subject to the CPRA.
• Similar to Article 9 of the GDPR, a new subcategory of personal information has been defined. High-risk data shall consequently be considered as sensitive personal data.
• If data breaches involve juveniles aged 16 or under, the applicable penalties will be tripled.

However, the CPRA is viewed critically as well. For example, although it must be offered an opt-out option for the sale and sharing of personal data, it is not linked to the right to use the service. People voting against data sharing, can simply be excluded.

The CPRA takes effect in January 2023 and applies to data collected since January 1, 2022. Companies should gradually start to become aware of the changes. Since other states in the U.S. have already followed California's example with the CCPA, it is very likely that this will also be the case with the CPRA.

CCPA, CPRA, and Encryption

The aforementioned damages for the disclosure of personal data can only be claimed if the data has fallen into the wrong hand in unencrypted mode. Here, the CCPA is much more concrete than the GDPR, which only talks about technical and organizational measures.

However, affected persons can also claim damages if the disclosed personal data was encrypted but the key was also disclosed. In this case, the data would be visible in plain text. This means that the courts will ask exactly to what extent encryption keys were affected in a data leak.

How Can Boxcryptor Help?

Boxcryptor is an encryption software for teams and single users. The software encrypts data using a combination of the AES-256 encryption algorithm and RSA encryption before it is transferred to a cloud of choice. With Boxcryptor, businesses and individuals can take an important step toward securing their personal and business information. We help you meet CCPA and CPRA legal criteria, as well as GPDR and HIPAA requirements.