In 2018, California passed the California Consumer Privacy Act (CCPA) to protect the privacy rights of California consumers. It went into effect on January 1st of this year, and not unlike Europe’s General Data Protection Regulation (GDPR), the CCPA will no doubt affect many businesses that acquire or collect personal data from Californians.
An article by Digital River summed it up nicely saying, “The CCPA, as it’s becoming known, gives people access to the information that companies have stored, enables them to opt-out of having their data shared and includes the EU’s concept of the right to be forgotten. The law also allows companies to compensate people for the sale of their data, and it provides for enforcement by the state attorney general” Also, the new law will make it easier for people to file litigation (sue) businesses that collect personal data in the event of a data breach or hack.
This means that consumers will be able to ask for and receive personal data that companies have stored about them. Consumers have the right to know what companies use this data for, and how/when/if it ever gets sold to third parties. And it’s not just consumers—employees have rights to know how employers use/store data about them, as do parents of young children. It’s now law for businesses to ask permission before personal detail of children under 13 are shared for commercial benefit. Lastly, all consumers have the right to have personal data stored on them deleted, and to opt-out of any future data personal collection.
What kind of businesses have to be in compliance?
Businesses are subject to CCPA if they:
- Do business in California (whether based here or not)
- Have annual revenues of more than $25 million
- Buy, receive or sell the personal information of 50,000 or more consumers, households or devices in California or derive 50% or more annual revenue from selling consumers’ personal information
The company doesn’t need to be in California but is subject to the law if it collects personal information on that threshold of residents here.
According to California’s Office of the Attorney General, the CCPA requirements include:
- Businesses must disclose their data collection and sharing practices to consumers
- Consumers should be able to request that their data be deleted
- Consumers must have a right to opt-out of the sale or sharing of their personal information
- Businesses are