Who is it relevant to?
On January 1, 2020, the California Consumer Privacy Act (CCPA) will enter into force in California, which is intended to raise the data protection standard in line with the GDPR/GDPR, but also sets special requirements for online companies.
Does both apply?
However, both pieces of legislation are only partially compatible. For example, CCPA and the GDPR have different requirements, different definitions and different areas of application, e.g. when collecting personal data without explicit consent, and the GDPR lacks a right to opt-out, which is what the CCPA requires. CCPA also applies only to certain types of companies.
The CCPA currently applies if:
- The annual gross revenue amounts to at least 25 million US dollars.
- The company’s profit is 50 percent or more due to the annual revenue from the sale of personal data.
- The scope of processing of personal data for business purposes affects at least 50,000 or more consumers, devices or households living in California.
What are the penalties?
A possible penalty under the CCPA in the case of an intentional data breach amounts to USD 7,500 per breach, and USD 2,500 per breach in the event of negligent action.