The California Consumer Privacy Act, or the CCPA is a piece of legislation that regulates how businesses handle the personal data of California residents.
The CCPA went into effect on January 1, 2020 and it is largely regarded as one of the strictest privacy laws in the United States. The CCPA provides residents of the state of California with the right to control how businesses process their personal information. Under CCPA, businesses must honor requests from any California resident to access, delete, and opt out of sharing or selling their information.
The penalties for not complying with CCPA are high. If you are notified that you have not met the requirements of CCPA, and fail to act within 30 days, the Attorney General will bring a civil case against you. The fine for a data breach currently sits at $7,500 per violation (source: https://secureprivacy.ai/what-is-ccpa-and-how-to-become-compliant/#WhatispersonaldataaccordingtotheCCPA).
Who the CCPA Applies to
The CCPA applies to for-profit entities that do business in the State of California. Therefore, the CCPA has extraterritorial reach and as such it can apply to businesses located outside of California, and outside of the US. If any of the following apply to your business, then CCPA applies to you:
• Do business in the State of California;
• Collect the personal information of consumers in the State of California;
• Determine the purpose and means of processing California consumers' personal information;
• And meet at least one of these following thresholds:
• have annual gross revenues larger than $25 million;
• buy, sell, share, or receive for commercial purposes the personal information of at least 50,000 California consumers, devices, or households each year;
• gain at least 50% of annual revenue from selling California residents’ personal information
The CCPA does not apply to your business if it is a non-profit, a smaller company that doesn’t meet the revenue thresholds, and/or if it doesn't deal in huge amounts of the personal data of California residents, and doesn’t share a brand with an affiliate covered by the CCPA (source: https://www2.deloitte.com/us/en/pages/advisory/articles/ccpa-compliance-readiness.html#)
Personal Data According to the CCPA
According to the CCPA, personal data is defined as; any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Therefore, personal data may include information such as; name, email address, employment information, biometric data, IP address, and geolocation data.
Video Surveillance and the CCPA
The CCPA is designed to give residents of California control over their personal data. This includes the right to access their personal data and the right to request that a business delete any personal data. Personal data, as laid out in the above paragraph, therefore clearly includes information captured via video surveillance / CCTV.
Just like the GPDR (https://ocucon.com/subject-access-requests-gdpr/), individuals therefore have the right to request, from any business, access to video footage that they appear in. Businesses must therefore comply with any such request. In doing so, any third parties present in such footage must be blurred, or redacted. Not doing so would be a breach of privacy, and therefore a breach in the CCPA (or GDPR).
Ensure you have the tools necessary to redact video footage. A simple solution would be a software based tool, such as Pixelate, which offers an easy to use video redaction tool and a subscription based pricing model.
The penalties for not complying with CCPA are high so businesses must ensure that all activities are CCPA compliant, including the operation of surveillance / CCTV systems. Contact us today to learn more about how Pixelate makes video redaction quick and easy, thereby helping your business to be fully CCPA compliant.