The California Consumer Privacy Act (CCPA) is a privacy law that went into effect in California on January 1, 2020. It is considered one of the most comprehensive privacy laws in the United States, and it gives California residents certain rights over the personal information that is collected, used, and shared by businesses.
The CCPA applies to businesses that meet certain criteria, such as having annual gross revenues over $25 million, or that buy, sell, or receive the personal information of 50,000 or more consumers, households, or devices.
The CCPA gives California residents the right to:
- Know what personal information is being collected about them
- Request that their personal information be deleted
- Request that their personal information not be sold to third parties
- Access the personal information that a business has collected
The CCPA also requires businesses to provide a “Do Not Sell My Personal Information” link on their website and to provide notice to consumers about their rights under the law.
The CCPA has some similarities with the European General Data Protection Regulation (GDPR), but there are also some important differences.
It’s important for companies to understand the CCPA and to ensure that they are in compliance with the law, as non-compliance can result in significant fines and legal penalties.
Here are some of the key requirements that businesses must comply with under the CCPA
- Disclosure of data collection: Businesses must disclose what personal information they collect, use, share, and sell about consumers, and the purposes for which it is collected, used, shared, and sold.
- Right to know: Consumers have the right to request that a business disclose the personal information it has collected about them, and the sources of that information.
- Right to delete: Consumers have the right to request that a business delete any personal information it has collected about them.
- Right to opt-out: Consumers have the right to opt-out of the sale of their personal information.
- “Do Not Sell My Personal Information” link: Businesses must provide a “Do Not Sell My Personal Information” link on their website, which allows consumers to opt-out of the sale of their personal information.
- Notice of rights: Businesses must provide notice to consumers about their rights under the CCPA, which can be done through a privacy policy or other notice.
- Responses to requests: Businesses must respond to consumer requests to know or delete their personal information within 45 days, and must provide a two-step verification process for consumers to confirm their identity.
- Data security: Businesses must implement reasonable security procedures and practices to protect consumers’ personal information from unauthorized access, exfiltration, theft, or disclosure.
- Minors: Businesses must obtain opt-in consent from the parent or guardian of minors under the age of 16 before collecting, using, or selling their personal information.
CCPA Jurisdiction Reaches Outside Of State Lines
The CCPA applies to businesses that operate in California or that collect personal information from California residents, regardless of whether the business is based in California. This means that even if a business is located outside of California if it collects personal information from California residents, it must comply with the CCPA.
The CCPA applies to any legal entity that is organized under the laws of California or that is organized outside of California but that does business in California. This includes corporations, partnerships, limited liability companies, and sole proprietorships.
It also applies to any individual, business, or service provider that operates under the jurisdiction of California, regardless of whether the business or service provider is based in California or not.
It’s important for companies to understand that they are under CCPA jurisdiction and to ensure that they are in compliance with the law, as non-compliance can result in significant fines and legal penalties.
All companies should add a “Do Not Sell My Personal Information” link on their website
As of my knowledge cutoff, the first lawsuit under the CCPA was filed by the Los Angeles City Attorney in January 2020, against a company called Delta Airlines, which was accused of not properly providing consumers with the right to opt-out of the sale of their personal information. The lawsuit was filed shortly after the CCPA went into effect on January 1, 2020.
The lawsuit alleged that Delta Airlines failed to provide a “Do Not Sell My Personal Information” link on its website, which is required by the CCPA. The lawsuit also alleged that Delta Airlines failed to provide consumers with notice of their rights under the CCPA and that Delta Airlines failed to properly respond to consumer requests to opt-out of the sale of their personal information.
This was the first lawsuit filed under the CCPA, however, there have been several more lawsuits filed and settled under the CCPA by the California attorney general and other private attorneys.
It’s important for companies to understand the CCPA and to ensure that they are in compliance with the law, as non-compliance can result in significant fines and legal penalties.
Califonia Consumer’s Rights Under the CCPA
The California Consumer Privacy Act (CCPA) grants certain rights to California residents over their personal information that is collected, used, and shared by businesses. Here are some of the key rights that consumers have under the CCPA:
- Right to know: Consumers have the right to request that a business disclose the personal information it has collected about them, and the sources of that information.
- Right to delete: Consumers have the right to request that a business delete any personal information it has collected about them.
- Right to opt-out: Consumers have the right to opt-out of the sale of their personal information.
- Right to non-discrimination: Consumers have the right to not be discriminated against by businesses for exercising their rights under the CCPA.
- Right to private action: Consumers have the right to sue a business if their non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to implement reasonable security procedures and practices.
- Right to know about the data collection: Consumers have the right to know what categories of personal information a business has collected about them, and what categories of sources from which the information was collected.
- Right to know about the use of the data: Consumers have the right to know what categories of personal information a business has disclosed about them for a business purpose, and to whom the information was disclosed.
- Right to access their personal information: Consumers have the right to access their personal information in a portable and, in most cases, readily usable format.
It’s important for consumers to be aware of their rights under the CCPA, and to understand how they can exercise them. Businesses are required to inform consumers of their rights and provide a means to exercise them.