The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) was passed in June 2018 and went into effect January 1, 2020. The CCPA is designed to regulate the ‘sale’ of personal information of California residents by a business, and provide more privacy protections to California residents. 

Specifically, the law gives California residents the right to:

• Prohibit the sale of their personal information
• Request access to or deletion of their personal information
• Exercise a private right of action against a business for a security breach

What new rights do consumers have under CCPA?

CCPA details specific requests that consumers may make of businesses that “sell” their personal information.

1. Do Not Sell.  Businesses must include a “Do Not Sell My Data” link on their homepage to allow consumers to opt out of the ‘sale’ of their personal information.
2. Right to Delete.  Consumers can request that their personal information be deleted by the business and the service providers with which the business shares that personal information.
3. Right to Access and Portability.  Consumers can request the right to know what personal information a business has collected about them, and can request a copy of that personal information.

Key terms have been defined within CCPA:

• Sale: A “sale” includes the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means for monetary or other valuable consideration.
• Personal Information: CCPA defines this as any information that may be used to directly or indirectly identify an individual. This includes: real name, alias, postal address, unique personal identifier, online identifier, email address, account name, SSN, driver’s license number, passport number, and also pseudonymous identifiers like cookie IDs, IP addresses and mobile ad IDs.
• Business:  A company is considered a business subject to the CCPA if the company makes at least $25 million per year; or buys, sells, or shares more than 50,000 personal information records; or derives more than of its 50% annual revenue from selling consumers’ personal information.