California Consumer Privacy Act 2020: users can claim damages

[Alpha1]

California is the first US state who seems to be heading for a GDPR like amendment of its privacy laws.
Most of the CCPA is similar to the GDPR and contains all the major elements. But it also enables consumers to claim damages for each violation. Here is the summary:

Gives consumers right to learn categories of personal information that businesses collect, sell, or disclose about them, and to whom information is sold or disclosed. Gives consumers right to prevent businesses from selling or disclosing their personal information. Prohibits businesses from discriminating against consumers who exercise these rights.

Allows consumers to sue businesses for security breaches of consumers’ data, even if consumers cannot prove injury. Allows for enforcement by consumers, whistleblowers, or public agencies. Imposes civil penalties.
Applies to online and brick-and-mortar businesses that meet specific criteria.

Yes, you have read that right: your forum users will be able to claim damages from you if you breach the CCPA.

The proposal has more than enough signatures to get on the ballot, although the final decision won’t be made until June 25. If it does make it on, which is highly likely, the initiative could be voted into law during the general election in November.

Google has previously opposed the proposal but has given up: https://www.privacyandsecuritymatters.com/tag/california-consumer-privacy-act/

More here: https://ballotpedia.org/California_...rmation_Disclosure_and_Sale_Initiative_(2018)

 

[Paul M]

So are all the US sites that say they are just going to block EU users because of GDPR also going to block Californian users ?

 

[Nev_Dull]

Although I just skimmed the proposal, I think most forums should be fine, as tit seems to be aimed solely at businesses. Only those who run their forums as a business entity, or as part of another business will have to be concerned. But it is a wake-up call for those thinking GDPR is just a problem for the Euro-Trash Socialists.

 

[Tracy Perry]

So are all the US sites that say they are just going to block EU users because of GDPR also going to block Californian users ?

Pretty sure that law will be specific to sites hosted or doing business in California. They have plenty of other laws that are specific to them that the rest of the nation do not.
That's why you hear of 49 state compliant cars. The 1 state they aren't compliant in is... you guessed it... California.... which is frequently referred to as Kalifornia.... which should give you an idea of the attitude of the "mainlanders" towards that wayward state.
That state is also having issues with an increased exodus of businesses and residents.

What's a bad day... someone from California moving into your neighborhood.
What's a fantastic day.... when they move out of your neighborhood.

 

[mysiteguy]

Although I just skimmed the proposal, I think most forums should be fine, as tit seems to be aimed solely at businesses. Only those who run their forums as a business entity, or as part of another business will have to be concerned. But it is a wake-up call for those thinking GDPR is just a problem for the Euro-Trash Socialists.

It also depends on the size of the business (or it's customer base).

Likewise, past Internet laws in California have not impacted other states to the extent GDPR attempts to cross lines of sovereignty, because it cannot. I know very few (ie, none) sites that I deal with as clients or non-mega corp sites visit which are located outside of California who pay any attention to their state specific laws.

I have zero concern about California's laws. They aren't nearly on the same level of border overreach. Plus, being here in the states it has a chance to go through US courts under constitutional challenge.

 

[Wes of StarArmy]

This sounds great as a consumer. I'm sick of the usual "whoops, we gave your SSN and credit card info to hackers!" and the only thing offered in consolation is free credit monitoring or something like that.

As an admin it underscores the need to be really careful about your security to avoid breaches.

Related: I just recently added a "Your California Privacy Rights" section to my privacy policy when I did all my GDPR-friendly updates to it.

 

[mysiteguy]

Pretty sure that law will be specific to sites hosted or doing business in California. They have plenty of other laws that are specific to them that the rest of the nation do not.
That's why you hear of 49 state compliant cars. The 1 state they aren't compliant in is... you guessed it... California.... which is frequently referred to as Kalifornia.... which should give you an idea of the attitude of the "mainlanders" towards that wayward state.
That state is also having issues with an increased exodus of businesses and residents.

What's a bad day... someone from California moving into your neighborhood.
What's a fantastic day.... when they move out of your neighborhood.

We've had several people from that state move here, and they are actually great folks. They moved here specifically to get away from the political/business/social environment there... so they fit in well here. But I do get the point of your joke, reminds me of what they say in the south... a Yankee is someone from the north who visits the south. A damn Yankee is someone who stays.

 

[mysiteguy]

This sounds great as a consumer. I'm sick of the usual "whoops, we gave your SSN and credit card info to hackers!" and the only thing offered in consolation is free credit monitoring or something like that.

It's not like there weren't remedies in place. For instance, there are major class action lawsuits when these things happen. It's going to hit Equifax pretty hard when the several against them come to a conclusion, and probably a lot more costly than a fine. I'm in 2 of those class action suits.

 

[Tracy Perry]

We've had several people from that state move here, and they are actually great folks. They moved here specifically to get away from the political/business/social environment there

Yeah, a lot of them are moving to escape the state governments over-reach. I know in Texas we've gotten several of their businesses lately (Toyota moving corporate office to Dallas, Kubota Credit Corp planning a move corporate office to Grapevine, Occidental Petroleum to Houston, Jacobs Engineering Group to Dallas). These are not small companies either.

And yes, it's similar to the Yankee vs Damn Yankee joke.
Although we DO have many that still like the California so-called benefits and try to revamp this state to what California was.

 

[mysiteguy]

Yeah, a lot of them are moving to escape the state governments over-reach. I know in Texas we've gotten several of their businesses lately (Toyota moving corporate office to Dallas, Kubota Credit Corp planning a move corporate office to Grapevine, Occidental Petroleum to Houston, Jacobs Engineering Group to Dallas). These are not small companies either.

And yes, it's similar to the Yankee vs Damn Yankee joke.
Although we DO have many that still like the California so-called benefits and try to revamp this state to what California was.

I have family in Texas, and many friends, they've told me similar stories. Those who re-locate because their company is.... aren't necessarily those you want, lol. I'm in a very rural area, few move here for a job... only for a change in lifestyle (that's why I moved here).

 

[TheChiro]

Is it not eye opening to these communist/socialist-wannabe states (mentalities) when they start seeing all these big businesses leaving their state, which leads to less jobs and less taxable income to the state....don't you think they would change their stance? Oh right, the stupid people of these states, like California and Illinois keep voting for the same idiots that think decreasing people's rights, increasing regulations and taxes = paradise. Why the mass exodus from Cali and Illinois? The ones bringing the income in...are the ones leaving because the ever increasing taxes.

California needs to just secede. Here's what I see happening with this law. A competitor is going to go to great lengths to find someone to breach their competitor to make their competitor to go belly up. That's what a lot of these laws aren't understanding...heck, I don't think a lot of these politicians even understand how computers and the internet works. Websites and computers cannot be 100% hack proof (well...if you keep them disconnected from any networks and the internet...certainly makes it harder now lol). I haven't looked at the commie cali laws but I hope there is something in there that states something to the effect of the businesses attempting to make things as secure as possible. For example, I hire a server administrator to do security audits, I've hired white hats to check for vulnerabilities, and we go to great lengths to secure our staff accounts, including our ACP access. There should be something in there for "due diligence". This should be aimed at those who are storing SSN's or have passwords stored in plain text. Having your email "leaked" is no big deal...so you get a few more viagra emails that go to spam

 

[djbaxter]

It's not like there weren't remedies in place. For instance, there are major class action lawsuits when these things happen. It's going to hit Equifax pretty hard when the several against them come to a conclusion, and probably a lot more costly than a fine. I'm in 2 of those class action suits.

That's only a remedy after the fact - and if you have the money to launch or participate in litigation.

 

[djbaxter]

Also, it looks like Canada will be creating it's own enhanced privacy legislation:

House committee says privacy laws should apply to political parties
by Aaron Wherry, CBC News
Jun 19, 2018

MPs recommend expanding data protections and empowering privacy commissioner

The House of Commons committee investigating the Cambridge Analytica scandal is recommending significant changes to Canada's privacy laws, including new rules to govern the activities of political parties.

In an interim report, the committee recommends that Canadian privacy laws be updated to offer data protections similar to the European Union's General Data Protection Regulation. The privacy commissioner, the committee says, should also be given the power to make orders, conduct audits, seize documents and impose fines for non-compliance.

The committee also proposes that privacy laws be extended to cover political activity. It recommends that online political advertising be subject to new transparency requirements - including disclosure of who paid for an ad and how the ad was targeted at specific audiences.

Read more...

And honestly... I really don't understand how this is not a good thing for consumers.

Yes, the EU went overboard with the GDPR (disclosure: the following is quoted from one of my own blogs):

I do think the GDPR goes too far, both in what they define as privacy data and in the penalties for breaching the act (they seem to have a special hate on for Google and Facebook). For example, most sites collect the IP addresses of visitors to their site purely for aggregate statistical reasons (e.g., to determine the general geographical locations of their visitors, which helps them to better target the marketing of their website). This data on its own does not and cannot identify a specific individual – in fact the only thing it identifies in the vast majority of cases is the internet service provider (ISP), and even then as often as not it may identify the correct city location of the visitor but rather the head office. For example, depending in the specific method used to identify IP location, I will often show up as the city of my ISP’s head office, some 450 kilometers away from my actual city. But the EU appears to define this as identifying information.

That doesn't mean the spirit of the legislation isn't a good idea, or that other countries can't adopt the spirit without the more extreme EU craziness.

 

[mysiteguy]

That's only a remedy after the fact - and if you have the money to launch or participate in litigation.

A fine is a remedy after the fact as well. And, unlike a class action lawsuit, the government gets the money, none goes to the consumers impacted.

 

[mysiteguy]

A fine is a remedy after the fact as well.

Also, it looks like Canada will be creating it's own enhanced privacy legislation:

House committee says privacy laws should apply to political parties
by Aaron Wherry, CBC News
Jun 19, 2018

MPs recommend expanding data protections and empowering privacy commissioner


Read more...

And honestly... I really don't understand how this is not a good thing for consumers.

Yes, the EU went overboard with the GDPR (disclosure: the following is quoted from one of my own blogs):



That doesn't mean the spirit of the legislation isn't a good idea, or that other countries can't adopt the spirit without the more extreme EU craziness.

Spirit and outcome are two entirely different things when it comes to government regulation.

With government, usually, the road to hell is paved with good intentions.

In the USA:
The drug war has resulted in creating a criminal class, sending millions to prison, marking someone's history with an arrest that never goes away, an estimated 50,000 - 80,000 SWAT raids per year, and billions in assets annually seized with dubious constitutionality via "civil asset forfeiture."

The war on poverty has resulted in incentivizing no father in the house, and the break down of the family structure in countless poor communities making it even harder to get out of poverty. The federal and state governments have spent $15 trillion dollars on it. Imagine how many jobs could have been created, actually helping poor people, had taxpayers been able to spend it. And the poverty rate? Hasn't moved much.

Social Security has discouraged saving for retirement.

Subsidized student loans have caused the cost of university education to skyrocket.

The ADA has made companies so afraid of lawsuits that those who hire are reluctant to hire handicapped people. The percentage of blind people who are employed now is far lower than before the ADA, for instance.

American food aid to Haiti was supposed to help them, instead, it all but wiped out their domestic farming industry.

The disaster that Prohibition was.

The Homestead Act of 1909 caused grasslands to disappear, widespread drought and the dustbowl.

The government made it harder to get opioids from doctors. While a drug habit is a bad thing, making them harder to get has resulted in skyrocketing rates of heroin use, where strength and quality are unknown, resulting in massive increases in overdose deaths.

I could go on and on, but I don't have a spare 10 years of time to write it all.

Anyone in the EU care for a cucumber or banana?

Hell isn’t merely paved with good intentions; it’s walled and roofed with them. Yes, and furnished too. - Aldous Huxley

 

[djbaxter]

Political debates with those who are convinced they're right is an exercise in futility.

The reality is that you will no doubt do what you want regardless of what anyone else says. I can pick apart details in the GDPR but as I said above I think the general spirit of such laws is a good thing for consumers and such measures can be implemented without much expense. Playing fast and loose with or ignoring the security of other people's private and personal information has been going on for too long.

 

[JQP]

The law will only apply to really huge sites and sites that sell their users' data, so unless you own Google, Facebook or maybe Reddit or unless you've found a buyer for user names and inactive email addresses you don't have anything to worry about.

I live in California and we're doing just fine, thank you. No need to worry about us and no need to worry about me moving in next door to you. I think I'll be staying, creeping scolicialism... er, scociaism.. er, socalitsm or not.

 

[Sal Collaziano]

...and here we are...

The California Consumer Privacy Act (CCPA) is a new data privacy law that applies to certain businesses which collect personal information from California residents. The new law goes into effect on January 1, 2020.

CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

It does not consider Publicly Available Information as personal.

Key differences between CCPA and GDPR include the scope and territorial reach of each, definitions related to protected information, levels of specificity, and an opt-out right for sales of personal information.[19] CCPA differs in definition of personal information from GDPR as in some cases the CCPA only considers data that was provided by a consumer and excludes personal data that was purchased by, or acquired through, third parties. The GDPR does not make that distinction and covers all personal data regardless of source (even in the event of sensitive personal information, this doesn't apply if the information was manifestly made public by the data subject themselves, following the exception under Art.9(2),e). As such the definition in GDPR is much broader than defined in the CCPA.

 

[Alpha1]

Google just sent me this:

Dear Partner,

The California Consumer Privacy Act (CCPA) is a new data privacy law that applies to certain businesses which collect personal information from California residents. The new law goes into effect on January 1, 2020.

Google already offers data protection terms pursuant to the General Data Protection Regulation (GDPR) in Europe. We are now also offering service provider terms under the CCPA, which will supplement those existing data protection terms (revised to reflect the CCPA), effective January 1, 2020. For customers on our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms. For such customers, there is no action required on your part to add the service provider terms into your contract.

These service provider terms will be made available alongside new tools for partners to enable restricted data processing. Restricted data processing is intended to help partners prepare for CCPA. Some partners may decide to send a restricted data processing signal for users who click a CCPA opt-out link. Other partners may decide to enable restricted data processing for all users in California via a control in our products. Subject to the service provider terms, we will act as your CCPA service provider with respect to data processed while restricted data processing is enabled. You can refer to this article for more information on restricted data processing and to determine whether restricted data processing meets your CCPA compliance needs. Please also refer to our Help Center articles for Ad Manager, AdMob, AdSense for more information on enabling restricted data processing.

Please see privacy.google.com/businesses for more information about Google’s data privacy policies.

If you have any questions about this update, please reach out to your account team or contact us through the Ad Manager, AdSense, or AdMob Help Centers.

 

[zappaDPJ]

[19] CCPA differs in definition of personal information from GDPR as in some cases the CCPA only considers data that was provided by a consumer and excludes personal data that was purchased by, or acquired through, third parties.

I'm not fully familiar with the act but on first glance this strikes me as potentially problematic. If my personal data is stolen and subsequently sold, what can I do about it?