California Consumer Privacy law (CCPA) and Right to Compensation For Personal Data Breach

What is CCPA?

The California Consumer Privacy Act of 2018 (CCPA) is the major law advocating for strong protection for consumers personal data. It covers personal information collected online or offline and is not limited to any types of information.

The CCPA has a global impact, since most IT companies are based in California. The law brings major new rights such as “Do not sell my data” and “Private right of action for compensation” in case of data breach and few rights below.

CCPA is effective on January 1, 2020, but enforcement shall start on July 1, 2020. But you can request and organizations must provide consumers with information regarding the preceding 12-month period.

Who is covered under CCPA?

The CCPA protects individual consumers that are residents of California and excludes employees from its scope. Resident is defined as any individual who is living in the state on a permanent basis even if the person is away temporarily.

Who does CCPA apply to?

CCPA only applies to any commercial businesses that do business in California and have either 50K California users or annual sales more than $25 million, or get 50% revenue from selling data.

Exception: the law does not apply to public bodies and institutions, non-for-profit organizations.

Can I claim compensation for data breach under CCPA?

Yes, you can claim compensation for material or non-material damages (distress or inconvenience) even if you have not suffered any loss yet. However, not every data breach occurrence will allow for compensation and your case must be reviewed by professionals. If you know your information was leaked, you should report this case to the company directly and/or by submitting a request with us as soon as you can to minimize risk of identity theft and unauthorized disclosure.

How much can I get for my data breach in California under CCPA?

Your data breach compensation claim can range from $100 to $750 per consumer or incident (as a compensation for inconvenience), or actual damages, whichever is greater.

Amount of compensation will be decided by court and will depend on many factors, including:

• How sensitive leaked information is and impact on consumers.
• The number of violations and duration of violation.
• Whether it was an intentional violation or not and how the company dealt with breach.
• Financial situation of the company.

Above shall not be confused with compensation for identity theft. If you had identity theft as a result of a data breach, this should increase amount of compensation.

Data breached? You might have a right to compensation - up to $750Check compensation for free

What Is a Time Limit to File a Claim for Data Breach Compensation under CCPA?

3 years is the limitation period to file a claim for statutory compensation, also known as private right of action.

Can I claim compensation for data breach that happened prior to Jan 1, 2020?

This has not been tested in court, but it is unlikely court will award compensation for information compromised prior to Jan 1. Based on the California Supreme Court’s decision in Aetna case businesses have a strong defence against such claim. However, CCPA does allow the right to request disclosure from business as to what and how your personal information was collected and used for the last 12 months prior to CCPA.

What Personal Information is Covered By CCPA?

Personal information is broadly defined as any information that could reasonably be linked to any particular consumer or household. But for purposes of compensation claim information that was leaked must be:

• user ID and password, or other credentials allowing access to online accounts.
• Your name plus any of below:
  • Social Security number, or
  • driver's license or
  • California Identification Card number,
  • financial account numbers,
  • medical information,
  • health insurance, or
  • Car plate information.

Does CCPA only apply to California businesses?

No, CCPA also applies to a business established outside of California if it collects or sells California consumers personal information while conducting business in the state.

How do I know if my data was breached?

By law companies must notify consumers whose personal information was breached. However, according to recent surveys only 1 out of 2 Americans were notified about data breach. The law in California requires companies to electronically submit such notice to the Attorney General office if breach affected more than 500 California residents. DataClaim database has information from this e-register and other sources, we advise you to check if your data was compromised and if you may be eligible for compensation for free.

Check if my data was compromised

What’s Not Covered under CCPA?

Information in public domain, encrypted, or anonymized data is excluded for purposes of compensation under the law. The CCPA also excludes some categories of personal information, such as medical data covered by other U.S. laws (HIPPA), personal information for clinical trials and personal information processed by credit reporting agencies. If your healthcare information was compromised, please submit a request to check compensation.

Does CCPA extend protection to residents of other states?

No, unfortunately CCPA protections only cover Californian residents, as most countries' privacy regulations are based on residence.

Your privacy rights under CCPA

Currently the law provides this list of privacy rights:

• Right to be forgotten (right of deletion): The right to request your personal data to be deleted for free and within 45 days, which sometimes can be extended to 90 days. This can be addressed to the company that collected your personal and other processors with whom your information was shared. Sometimes companies can use exceptions to justify keeping some basic information for legal compliance obligations.
  According to one of global best practices in privacy “data minimization”, we generally recommend to minimize your data wherever possible to reduce risk of data hack and potential risks of identity theft or fraud.
• Right to private right of action: It is right to claim compensation up to $750 or actual damages, whichever is greater, in cases of data breach, as we explained above.
• Right to be informed: usually this information is in privacy policy, which allows users to learn what and how information is collected and why before data collection.
• Right to Opt-out: this is the right to object to processing or selling personal data. The law requires a link to be placed on the website home page with the title “Do Not Sell My Personal data” and there is no exception to it. This right also extends to opt-out from subsequent re-selling of information by the third party that received this information after “initial selling”. Such third parties shall not sell such personal information unless it serves “explicit notice” and is provided with an Opt-out tool.
• Right of access: this is to allow users to view and get a copy of all personal information business has within 45 days deadline and 2 free requests per year.
• Right not to be discriminated against: if a user is using her privacy rights. That means business cannot: deny service, charge different prices, or differentiate in quality. But business can offer financial incentives, but consumers must opt-in to be part of them.
• Right to data portability: to allow you to obtain your personal information in portable and usable format to export or migrate your data to third parties.

Enforcement of privacy rights

Depending on the violation, the CCPA provides for civil penalties that can be $2,500 for each violation; or $7,500 for each intentional violation. This is separate and in addition to private claims for compensation.

Data breached? You might have a right to compensation - up to $750Claim NOW