The onset of the “digital era” presented its own set of advantages but later proved to be more harmful than what mankind could have estimated. Data leaks are a prevailing concern among many individuals, companies as well as nations. To put a finishing mark on the rising threats of breach of privacy, the California government initiated the California Consumer Privacy Act(CCPA) in 2018.

Implementation of CCPA

 Two years later, on January 1, 2020, the above-mentioned act was turned into a law and created “the strictest data privacy and digital consumer rights law in the US.” The California Consumer Privacy Act followed suit to the General Data Protection Regulation(GDPR) of the European Union. It outlines measures for data collection, defines the consequences for businesses that fail to protect their user data, as well as the rights Californians can exercise over their personal information. The CCPA was brought into effect on January 1, 2020, but companies were given a grace period till July 1, 2020, after which the California Attorney General began issuing fines for waywardness. 

CCPA Compliance 

Simultaneously, to help businesses understand CCPA compliance, the CCPA regulations were drafted by the California Attorney General for the smooth implementation of the law. The regulations were introduced on October 11, 2019 and revised three times for California’s Office of Administrative Law’s approval. Each revision was followed by feedback from California citizens, industry representatives, and other interested parties. A violation of the regulations has been equated to the violation of the law itself, making it crucial for people to follow the guidance of the regulations in addition to the law.

The requirements of CCPA are easier to comply with in comparison to the European plan. The CCPA compliance aims to cover four main areas- non-discrimination, access, protection, and user control.

Californians have the following privacy rights –

  1. To know what information is being collected.
  2. To know whether the information is being sold or disclosed to other parties and to whom.
  3. To refuse to disclose their personal information.
  4. To access and delete personal data.
  5. To equal service and price despite exercising their privacy rights 

Lastly, the CCPA aims to bring about transparency between businesses and individuals. Consumers can know what data is being shared with businesses and how it is being used. This aims to build a sense of trust between the two. Individuals can also make a “verifiable request” to businesses to share information regarding the usage of their data, to which they have to adhere to within 45 days and present all the data collected, shared, used, and sold within the last 12 months.   

California Privacy Rights Act  

The CCPA gave way to the California Privacy Rights Act(CPRA) in November 2020. Californian citizens voted to bring into existence CPRA as an expansion of CCPA. It is to come into effect on 1 January, 2023. It provides additional individual privacy rights of correction and expansion of the rights to delete. Additionally, businesses are expected to notify third parties to delete the data as well. The law further brought in the aspect of “sensitive” data that did not find a place in CCPA. Sensitive Data includes: 

  • Race, ethnicity, religion
  • Biometrics, health, sex life
  • Content of mail, email, and text messages 
  • Debit and credit card numbers and login data
  • Audio, electronic, visual, or thermal information
  • Inferences are drawn from this information to create consumer profiles recording preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

CPRA includes “businesses” that meet at least one of the following criteria:

  1. It generates over $25 million in annual gross revenue.
  2. Buys, sells, or shares personal information of 50,000 or more consumers, households, or devices for commercial purposes. This will be changed to 100,00 consumers under CPRA.
  3. Derives 50% or more of its annual revenue from selling consumer data.

Finally, CCPA and CPRA allow consumers to file lawsuits for violation of privacy rights in contrast to the conventional lawsuits on proof of damages. If a violation has taken place, the law prescribes for the business to be notified before any legal action is taken. Previously, businesses got an opportunity to “cure” the violation in 30 days, but CPRA is said to end that in 2023. Contrarily, businesses may face penalties if they do not fix the violations. 

Next US States to Implement Privacy Rights

 CCPA in California and GDPR in the European Union provided stepping stones for other similar data privacy laws in the next US states. Laws similar to CCPA and CPRA were passed in Virginia. Bills regarding the protection of user data were also put forth in Washington and Oklahoma but were struck down by both the left and the right. Those on the right argued for more bandwidth for businesses to collect user data while the left advocated for better privacy protection for consumers in both the states. The bill in Washington was discussed in the state legislature for the third time in a row in 2020. In the same year, the American Civil Liberties Union(ACLB) struck down the bill as they believed it lacked in protecting the rights of consumers to sue over violations and that it is focused on protecting businesses more. Simultaneously, in Oklahoma, the Computer Data Privacy Act largely walked along the lines of CCPA and the Virginia Consumer Data Protection Act(VCDPA) but diverged in one way- it proposed a consent-based, opt-in model in contrast to an opt-out model for consuming, sharing and selling data. It enjoyed massive support in the legislation but died in the hands of the senate. While the bills for data protection in both these states require alterations and more depth, the future remains unknown. Additionally, Florida has come up with a data protection act that gained support in the state legislation but its condition with the Senate is still unknown. Florida is known to have more chances in turning the bill into law as it did not face harsh criticism as in the case of Washington and Oklahoma. 

Laws such as the CCPA, VCDPA, and GDPR have motivated several US states to battle the privacy rights of their consumers. While this prevails as a relevant issue, concerns of breach of data not only have gotten the better of the US but also major countries across the world. Walking hand in hand with the US are countries like Iceland and Sweden which hopefully might stimulate a lot more states to follow.