The California Consumer Privacy Act โ CCPA โ is the most comprehensive data privacy law in the United States. Passed in 2018 and strengthened in 2020, it grants California residents significant rights over their personal information and imposes substantial obligations on businesses that collect that data. Whether you're a California company or a business anywhere in the world that serves California customers, CCPA likely applies to you.
What Is CCPA and Why It Matters
CCPA gives California residents the right to know what personal information is being collected about them, to know whether their data is sold or disclosed and to whom, to say no to the sale of their personal information, to access their personal information, to equal service and price even if they exercise their privacy rights, and to sue companies if a data breach exposes certain sensitive information.
The law applies to for-profit entities that collect California consumers' personal information and meet one of three thresholds: annual gross revenues over $25 million; buy, sell, or share personal information of 100,000+ consumers or households; or derive 50% or more of annual revenues from selling or sharing consumers' personal information.
The Categories of Personal Information
CCPA defines personal information broadly, similar to GDPR. It includes identifiers like real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver's license number, passport number, and other government ID numbers. It also covers commercial information like records of personal property, purchasing history, and consuming histories. Additionally, internet activity, biometric information, sensory data, employment-related information, education information, and inferences drawn from other personal information all fall under CCPA's definition.
The Consumer Rights Under CCPA
California consumers have the right to know what personal information is being collected about them, including the categories and specific pieces of information collected. They can request disclosure of the categories of sources, business purposes, and categories of third parties with whom information has been shared. Consumers also have the right to access their specific pieces of personal information that a business has collected.
The right to delete allows consumers to request deletion of personal information collected from them, subject to certain exceptions. Consumers can opt out of the sale or sharing of their personal information. Since 2023, they also have the right to correct inaccurate personal information and to limit the use of sensitive personal information, thanks to the CPRA amendments.
What Businesses Must Do
Businesses subject to CCPA must provide reasonable security measures for personal information. They must designate at least two methods for consumers to submit requests โ including a toll-free phone number and a web form. Businesses cannot discriminate against consumers who exercise their CCPA rights, though they can offer different prices or service levels if the difference is reasonably related to the value provided by the data.
A crucial requirement is the right to opt out. Businesses that sell or share personal information must provide a clear and conspicuous link on their website homepage titled "Do Not Sell or Share My Personal Information" that allows consumers to opt out. For sensitive personal information, businesses must generally obtain the consumer's explicit consent before using it beyond specified purposes.
CPRA: The California Privacy Rights Act
Voters approved CPRA in November 2020, significantly strengthening CCPA. Key additions include a new right for consumers to correct inaccurate personal information, a right to limit the use of sensitive personal information, and the creation of the California Privacy Protection Agency to enforce the law. CPRA also expanded the definition of personal information and introduced new categories like sensitive personal information with stricter rules around its use.
Penalties and Enforcement
The California Attorney General can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. More significantly, the private right of action allows consumers to sue directly when certain personal information โ like Social Security numbers, driver's license numbers, or account credentials โ is exposed in a data breach due to inadequate security. Statutory damages range from $100 to $750 per consumer per incident, or actual damages if greater.
Practical Steps for Compliance
Start with a data inventory. Know what personal information you collect, where it comes from, who you share it with, and why. Update your privacy policy to describe these practices clearly. Implement processes for handling consumer requests within 45 days. If you sell or share data, add a clear opt-out mechanism to your website. If you collect sensitive personal information, review your purposes for collecting and using it. Finally, ensure reasonable security measures protect the personal information you hold.