The California Consumer Privacy Act (CCPA) will become the strictest consumer privacy protection law in the United States once it takes effect on Jan. 1, 2020.

While the law isn’t as strict as the General Data Protection Regulation (GDPR) that took effect in 2018 for companies who hold data on European consumers, the California law has similar aims and criteria for consumer privacy. The CCPA has been referred to as "GDPR-lite.”

Essent is an early adopter and proponent of clear, concise privacy policy and complies with the standards established by GDPR and CCPA. Essent is experienced in protecting personal data and has incorporated the laws into our framework for protecting the personal data of those who use Essent products and services.

Our Master Services Agreement, Breach Notification Policy, and Privacy Policy reflect our aims to keep private data private.

Who Does the CCPA Regulate?

For-profit entities who do business in California are bound by the new law if they gross more than $25 million annually or handle a high volume of personal data.

In order to be regulated by the California Consumer Privacy Act, a company must be a for-profit entity that does business in California and meets at least one of the following criteria:

• Gross revenue exceeding $25 million annually.
• Handles the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
• Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
• Holds, is held, or shares branding with, a company that meets the above criteria.

What Does the CCPA Protect?

Personally Identifiable Information (PII) has traditionally been defined very broadly, and the new California law is no exception.

The goal of the California Consumer Privacy Act is to protect the privacy of California consumers, particularly in terms of Personally Identifiable Information (PII).

PII is usually defined very broadly as any information that can be used to identify an individual or can combine with other information to identify an individual person, which makes many types of data potentially PII.

The CCPA is similarly broad, defining personal information as "information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular consumer or household.” The CCPA goes further to spell out that browsing history and purchasing patterns are considered PII.

What Does the CCPA Require of Companies?

Companies can still collect and store PII, but consumers can access it and ask for it to be deleted, among other rights.

While companies regulated by the CCPA can collect and store PII, the law gives consumers options and rights to control it.

Californians gain the right to know what personal data is being collected about them and to access it; to stop the sale of that data; to have companies delete the consumer’s personal data upon request; and to not face discrimination for exercising privacy rights.

Consumers whose privacy rights are violated can receive damages from $100 to $750 per consumer per incident, and the California Attorney General can fine companies from $2,500 per unintentional violation to $7,500 per intentional violation, adding up to significant economic liability for widespread breaches or infractions.

The CCPA Doesn’t Technically Apply to Me. Can I Ignore It?

Whether or not the CCPA applies to your company by the letter of the law, it applies to your company.

Whether or not the CCPA applies to your company by the letter of the law, it applies to your company.

Consumer privacy awareness is an emerging part of the business landscape with governments and businesses alike more conscious than ever regarding the protection of consumer data.

More laws in the spirit of the CCPA and GDPR are in the works in the U.S. and abroad, and even more are sure to follow. Even if the CCPA or GDPR don’t literally apply to your company now, it’s possible, arguably likely, that a consumer privacy law soon will.

At the very least, competitors are noticing this environment and taking steps toward consumer privacy protection to win trust and business. We therefore recommend that companies comply with the intent of consumer privacy laws by adopting consumer privacy policies and protocol, even if the letter of the law doesn’t yet require them to, yet.