Updated/Revised August 13, 2024
The California Consumer Privacy Act (CCPA) is a state law that enhances privacy rights and consumer protection for residents of California. Here's an overview of the key aspects of the CCPA
What is the CCPA?
The CCPA is designed to give California residents more control over the personal information that businesses collect about them. It came into effect on January 1, 2020, and applies to businesses that operate in California and meet certain thresholds.
Who Needs to Comply?
The CCPA applies to any for-profit business that collects personal information from California residents and meets at least one of the following criteria:
- Annual gross revenues exceed $25 million.
- Buys, receives, sells, or shares the personal information of 50,000 or more California residents, households, or devices annually.
- Derives 50% or more of its annual revenue from selling California residents' personal information.
Consumer Rights Under the CCPA
- Right to Know: Consumers have the right to know what personal information is being collected about them, the purposes for which it is being used, and whether it is being sold or disclosed to third parties.
- Right to Delete: Consumers can request that a business delete any personal information it has collected about them, subject to certain exceptions.
- Right to Opt-Out: Consumers have the right to opt out of the sale of their personal information to third parties.
- Right to Non-Discrimination: Consumers cannot be discriminated against for exercising their rights under the CCPA, such as by being denied services or charged different prices.
Business Obligations
- Privacy Policy Updates: Businesses must update their privacy policies to include information about consumers' CCPA rights and how to exercise them.
- Notice at Collection: When collecting personal information, businesses must inform consumers of the categories of information being collected and the purposes for which it will be used.
- Responding to Requests: Businesses must provide at least two methods for consumers to submit requests about their personal information, such as a toll-free number and a web form.
- Verifiable Requests: Businesses must be able to verify the identity of consumers making requests to access, delete, or opt out of the sale of their personal information.
Enforcement and Penalties
The California Attorney General can enforce the CCPA, with penalties for non-compliance ranging from $2,500 for unintentional violations to $7,500 for intentional violations per incident. Consumers also have a private right of action in the event of data breaches involving unencrypted or unredacted personal information.
Impact on Businesses
Businesses need to take proactive steps to ensure CCPA compliance, such as conducting data inventories, updating privacy policies, and implementing systems to handle consumer requests. Compliance not only helps avoid penalties but also builds consumer trust by demonstrating a commitment to protecting personal information. In summary, the CCPA is a significant privacy law that affects many businesses operating in California. Understanding and complying with its requirements is essential for maintaining consumer trust and avoiding legal penalties.