The California Consumer Privacy Act (CCPA) is arguably one of the most comprehensive data privacy laws to be enacted in the United States to date.
Companies that conduct business in the state of California and meet any of the following three criteria are subject to the CCPA:
- Total corporate revenues exceed $25 million a year;
- At least half their annual revenue is from selling consumers’ personal information; or
- If personal data of at least 50,000 households are bought or sold within a year.
Under the CCPA, California consumers have new rights and companies have new responsibilities. It is important to note that consumers do not need to have a business or transactional relationship with the company to exercise their rights. The following summarizes the main rights provided to consumers under the CCPA:
- Consumers can request that companies provide all information collected about them, free of charge, up to twice a year.
- Consumers can request that companies delete any information they have collected from them. It is noted that there are certain circumstances where companies are not required to honor a request to delete information, such as if the information is necessary to complete a transaction or protect against fraud.
- Companies that sell personally identifiable information (PII) are required to create a simple way for consumers to opt out of having their data sold, through a “recognizable and uniform” button or logo on the company’s website.
- Consumers are allowed to sue companies that allow PII to be accessed or stolen through a data breach.
Firms subject to the CCPA should seek legal advice to determine what changes need to be implemented in order to comply with their new responsibilities. Most firms will need to update their websites and privacy policies to adhere to the disclosure requirements and firms should consider creating policies and procedures properly handle consumer requests under the CCPA.
For additional information on the CCPA please also see our other related articles: