The California Consumer Privacy Act (CCPA) is a data privacy law enacted in the state of California, USA, designed to protect the privacy rights of California residents by giving them more control over their personal information. It went into effect on January 1, 2020. Below is an overview of the key elements and provisions of the CCPA:
1. Purpose of the CCPA
The CCPA aims to provide California residents with transparency about how their personal information is collected, used, and shared by businesses. It gives individuals the ability to access, delete, and control their personal data.
2. Who Does the CCPA Apply To?
The CCPA applies to for-profit businesses that meet one or more of the following criteria:
- Gross annual revenues of over $25 million.
- Buys, sells, or shares personal information of 100,000 or more California consumers or households.
- Derives 50% or more of annual revenues from selling California consumers' personal information.
Even businesses outside of California must comply if they meet these thresholds and process the personal data of California residents.
3. What is Personal Information Under the CCPA?
The CCPA defines personal information broadly to include any information that can be linked to a specific individual or household. This includes, but is not limited to:
- Name, address, phone number, email.
- Social Security number, driver’s license number.
- Internet activity, IP address, and geolocation data.
- Purchase history, browsing history.
- Employment and education information.
- Biometric data.
It also includes any inferences drawn from the data that could create a profile about an individual’s preferences, characteristics, psychological trends, and behaviors.
4. Consumer Rights Under the CCPA
The CCPA grants the following rights to California residents:
a. Right to Know
Consumers have the right to request:
- The categories and specific pieces of personal information collected about them.
- The categories of sources from which their information was collected.
- The business or commercial purpose for collecting or selling their personal information.
- The categories of third parties with whom their information is shared.
b. Right to Delete
Consumers can request that a business delete their personal information that has been collected, subject to certain exceptions (e.g., if the data is necessary to complete a transaction, comply with a legal obligation, or for security purposes).
c. Right to Opt-Out of the Sale of Personal Information
Consumers have the right to opt out of the sale of their personal information to third parties. Businesses must provide a clear and conspicuous "Do Not Sell My Personal Information" link on their website to facilitate this opt-out process.
d. Right to Non-Discrimination
Consumers cannot be discriminated against for exercising their CCPA rights. This means businesses cannot:
- Deny goods or services.
- Charge different prices or rates.
- Provide a different level or quality of service, unless the differences are reasonably related to the value of the consumer’s data.
5. Obligations for Businesses Under the CCPA
Businesses that fall under the CCPA must adhere to several requirements:
a. Provide Privacy Notices
Businesses must inform consumers, at or before the point of data collection, about the types of personal information being collected and the purposes for which it will be used. This information is usually presented in a privacy policy.
b. Respond to Consumer Requests
- Businesses are required to verify and respond to consumer requests to access, delete, or opt-out within 45 days.
- They must provide a method for consumers to submit these requests, such as a toll-free number or a web form.
c. Training and Record-Keeping
- Employees handling consumer inquiries about privacy must be trained on how to comply with the CCPA.
- Businesses must maintain records of consumer requests and how they were handled for at least 24 months.
d. Data Security
- The CCPA imposes a duty on businesses to implement and maintain reasonable security procedures and practices to protect consumers' personal information.
6. Fines and Penalties
The CCPA allows for enforcement by the California Attorney General, as well as private lawsuits under specific circumstances:
- Intentional violations can lead to fines of up to $7,500 per violation.
- Unintentional violations can result in fines of $2,500 per violation if not corrected within 30 days of being notified of the issue.
- Consumers can also bring private lawsuits if their personal information is exposed due to a business’s failure to implement reasonable security measures, with statutory damages ranging from $100 to $750 per incident or actual damages, whichever is greater.
7. California Privacy Rights Act (CPRA)
In 2020, California voters approved the California Privacy Rights Act (CPRA), which expands upon the CCPA. The CPRA took effect on January 1, 2023, and introduces several additional rights and obligations, including:
- Right to Correct: Consumers can request that inaccurate personal information be corrected.
- Expanded Right to Opt-Out: Consumers can opt out of not only the sale of personal information but also the sharing of personal information for targeted advertising.
- Sensitive Personal Information: The CPRA introduces new rules around the use and disclosure of sensitive personal information (e.g., financial data, race, health data).
- Creation of the California Privacy Protection Agency (CPPA): The CPRA establishes this agency to enforce privacy laws and provide guidance to businesses and consumers.
8. Comparisons to GDPR
While the CCPA is a major privacy law in the United States, it differs from the General Data Protection Regulation (GDPR) in several ways:
- Applicability: GDPR applies globally to any organization processing the personal data of EU residents, while CCPA applies only to California residents.
- Consent: GDPR requires affirmative consent for data collection, while CCPA allows businesses to collect and use personal information unless the consumer opts out.
- Consumer Rights: GDPR grants broader rights, such as the right to data portability and more extensive protections around automated decision-making.
The CCPA is one of the most comprehensive data privacy laws in the United States and represents a shift toward greater data transparency and consumer control over personal information. The law sets the foundation for future privacy legislation in the U.S. and is often compared to international data protection laws like GDPR.