The California Consumer Privacy Act (CCPA) is a comprehensive privacy law enacted in California in 2018. The CCPA has far-reaching implications for businesses that collect, use, or sell the personal information of California residents. This article provides an overview of the CCPA, its requirements, and its impact on businesses.
California Consumer Privacy Act Explained
The CCPA is a privacy law that grants California residents the right to know what personal information businesses collect about them and the right to request that this information be deleted. The law was passed in 2018 and became effective on January 1, 2020. The CCPA is modeled after the European Union’s General Data Protection Regulation (GDPR) and is considered one of the strongest privacy laws in the United States.
The CCPA applies to for-profit businesses that meet one or more of the following criteria:
- Have an annual gross revenue of over $25 million
- Buy, sell, or receive the personal information of 50,000 or more California residents, households, or devices annually
- Derive 50% or more of their annual revenue from selling California residents’ personal information
What does the CCPA require?
The CCPA grants California residents the following rights:
- Right to know: California residents have the right to know what personal information businesses collect, use, and disclose about them. This includes the categories of personal information collected, the sources of the information, the purposes for which the information is used, and the categories of third parties with whom the information is shared.
- Right to delete: California residents have the right to request that businesses delete their personal information. Businesses must comply with these requests unless an exception applies, such as if the personal information is necessary to complete a transaction, detect security incidents, or comply with legal obligations.
- Right to opt-out: California residents have the right to opt out of the sale of their personal information. Businesses must provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website or mobile app.
- Right to non-discrimination: California residents have the right to not be discriminated against for exercising their privacy rights. Businesses cannot deny goods or services, charge different prices, or provide a different level of service to consumers who exercise their privacy rights.
In addition to these rights, the CCPA requires businesses to:
- Provide clear and conspicuous privacy notices that describe their data collection and sharing practices
- Obtain consent before collecting or sharing the personal information of minors under the age of 16
- Maintain reasonable security measures to protect personal information
- Implement procedures to verify the identity of individuals making privacy requests
- Provide training to employees on the CCPA’s requirements
What is the impact of the CCPA on businesses?
The CCPA has significant implications for businesses that collect, use, or sell the personal information of California residents. Businesses that fall under the CCPA’s requirements must invest in technology, staff, and processes to comply with the law. Failure to comply with the CCPA can result in fines of up to $7,500 per violation.
The CCPA’s impact on businesses extends beyond California. Because many businesses collect personal information from individuals across the United States, complying with the CCPA’s requirements can lead to compliance with other state privacy laws as well. For example, Virginia recently passed a comprehensive privacy law that includes many of the same requirements as the CCPA.
The California Consumer Privacy Act (CCPA) is a comprehensive privacy law that grants California residents the right to know what personal information businesses collect about them and the right to request that this information be deleted. The law has significant implications for businesses that collect, use, or sell the personal information of California residents. Compliance with the CCPA requires significant investment in technology, staff, and processes, but can lead to compliance with other state privacy laws as well.