The California Consumer Privacy Act (CCPA) is a state law that gives California consumers the right to know what personal information businesses collect about them, the right to delete that information, and the right to opt out of its sale. The law, which goes into effect on January 1, 2020, applies to businesses that collect California consumers’ personal information and meet certain other criteria.
What is personal information? (check also What is personal data?)
The CCPA defines personal information broadly as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes, but is not limited to, information such as a consumer’s name, email address, mailing address, telephone number, social security number, driver’s license number, education information, financial information, medical information, and health insurance information.
The law also covers what is known as derived data, which is information that is created by combining or linking together other pieces of information. For example, a list of consumers who have purchased a particular product would be considered derived data.
What businesses are covered by the CCPA?
The CCPA applies to businesses that meet all of the following criteria:
• The business collects consumers’ personal information.
• The business determines the purposes and means of the processing of consumers’ personal information.
• The business is organized under the laws of the State of California, the United States, or any other jurisdiction.
• The business has annual gross revenues in excess of $25 million.
• The business buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
• The business derives 50% or more of its annual revenues from selling consumers’ personal information.
What rights do California consumers have under the CCPA?
The CCPA gives California consumers the following rights:
– The right to know what personal information is being collected about them.
– The right to know the purposes for which their personal information is being collected.
– The right to know the categories of third parties with whom their personal information is being shared.
– The right to opt out of the sale of their personal information.
– The right to have their personal information deleted.
– The right to not be discriminated against for exercising their rights under the CCPA.
What are the requirements for businesses under the CCPA?
The CCPA imposes several requirements on businesses that collect California consumers’ personal information.
– Businesses must provide a notice that informs consumers of their rights under the CCPA. This notice must be made available on the business’s website or, if the business does not have a website, in another manner that is reasonably accessible to consumers.
– Businesses must also provide a way for consumers to exercise their rights under the CCPA. This can be done by providing a link on the business’s website that says “Do Not Sell My Personal Information” or by providing a toll-free telephone number.
– Businesses must respond to requests from consumers who wish to exercise their rights under the CCPA within 45 days.
– Businesses must delete the personal information of consumers who request that their information be deleted, unless the information is necessary for the business to complete a transaction, fulfill a contract, or for another specified purpose.
– Businesses must provide consumers with a way to opt out of the sale of their personal information. This can be done by providing a link on the business’s website that says “Do Not Sell My Personal Information” or by providing a toll-free telephone number.
– Businesses must not discriminate against consumers who exercise their rights under the CCPA. This includes, but is not limited to, denying services, charging different prices, or providing a different level of quality of service.
What are the penalties for businesses that violate the CCPA?
The CCPA imposes fines of up to $2,500 for each violation of the law, up to $7,500 for each intentional violation, and up to $75,000 for each violation that results in the unauthorized access to or disclosure of consumers’ personal information.
What should businesses do to prepare for the CCPA?
Businesses that collect California consumers’ personal information should take steps to prepare for the CCPA. This includes, but is not limited to, reviewing their data collection practices, updating their privacy policies, and providing a way for consumers to exercise their rights under the CCPA.
