The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, making California the first U.S. state to enact a comprehensive consumer privacy law. The legislation was introduced as Assembly Bill 375, aiming to give California residents greater control over their personal information. The CCPA officially took effect on January 1, 2020, granting consumers rights such as access to their personal information, the ability to request deletion, and the right to opt out of the sale of personal information. The CCPA set a precedent for state-level privacy laws across the U.S., influencing legislation in states like Virginia, Colorado,
The California Privacy Rights Act (CPRA), also known as Proposition 24, was approved by California voters on November 3, 2020, as an expansion of the California Consumer Privacy Act (CCPA). The CPRA introduced stronger consumer privacy protections, including the right to correct inaccurate personal information, limit the use of sensitive personal information, and prevent businesses from sharing personal information without consent. It also established the California Privacy Protection Agency (CPPA) to enforce privacy laws and oversee compliance. The CPRA officially took effect on January 1, 2023, applying to personal data collected from January 1, 2022, onward.
Covered and Exempt Entities
Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), a “business” is defined as an entity that:
– Operates in California and collects personal information from consumers.
– Determines the purposes and means of processing personal data.
– Meets at least one of the following thresholds:
– Has annual gross revenues exceeding $25 million.
– Buys, sells, or shares the personal information of 100,000 or more consumers, households, or devices annually.
– Derives 50% or more of its annual revenue from selling or sharing personal information.
Additionally, the CCPA applies to affiliated entities that share common branding with a covered business. Nonprofits and government agencies are generally exempt from these requirements.
HIPAA/GLBA/ETC
The CCPA exempts certain data protected by the GLBA and HIPAA.
Employee Data and Business Contact Information
California is unique in the United States in that employee data and business contact information can be the personal information of a California resident protected by the CCPA.
Privacy Policy Disclosures
A California resident can request that a business disclose: (1) the categories and/or specific pieces of personal information they have collected, (2) the categories of sources for that personal information, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information that the business sells or discloses to third parties.
Data Subject Access Rights
California residents have several data subject rights under the amended CCPA that empower them to control their personal information in the possession or control of a business. These rights include the right to know what personal data businesses collect, the right to delete personal information (with some exceptions), and the right to correct inaccurate personal information. A resident can also direct a business to only use sensitive personal information (for example, social security number, financial account information, precise geolocation data, or genetic data) in limited ways
Opt-Out for the Sale and Sharing of Personal Information
Under the California Consumer Privacy Act (CCPA), consumers have the right to opt out of the sale or sharing of their personal information. Businesses that sell personal data must provide a clear and accessible mechanism for consumers to exercise this right, such as a “Do Not Sell or Share My Personal Information” link on their website. Under the California Consumer Privacy Act (CCPA), a “sale” of personal information is broadly defined as the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information to another business or third party for monetary or other valuable consideration. The term “share” refers to the disclosure, transfer, or communication of a consumer’s personal information to a third party for cross-context behavioral advertising. Additionally, consumers can use Global Privacy Control (GPC) signals to automatically communicate their opt-out preferences. Once a consumer opts out, businesses must honor the request and cannot sell or share their data unless the consumer later provides consent.
Service Provider Contractual Terms
Under the California Consumer Privacy Act (CCPA), businesses must establish contractual agreements with service providers to ensure compliance with data protection regulations. These contracts must, among other things, explicitly state that the service provider must use the data only for the specified business purpose.
Reasonable Security & Private Right of Action
The California Consumer Privacy Act (CCPA) grants consumers a private right of action in cases where their nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure due to a business’s failure to implement reasonable security measures. This provision allows affected individuals to seek statutory damages ranging from $100 to $750 per incident or actual damages, whichever is greater. While the law does not define a specific security standard, companies are expected to follow industry standard practices, such as encryption, and access controls. The California Attorney General has referenced frameworks like the Center for Internet Security’s Critical Security Controls (CIS) as a baseline for compliance.