https://www.techtarget.com/searchcio/definition/California-Consumer-Privacy-Act-CCPA
The California Consumer Privacy Act (CCPA) is legislation in the state of California that supports an individual's right to control their own personally identifiable information. It requires companies to have mechanisms for consumers to opt-out of, request access to and delete data collected by the company.
The CCPA was first passed into law on June 28, 2018. It came into effect on January 1, 2020. The California Privacy Rights Act (CPRA) amended the CCPA by adding additional consumer privacy rights and obligations for businesses. It also established the California Privacy Protection Agency. The amended CCPA went into effect January 1, 2023. On January 1, 2024, the Delete Act went into effect, requiring companies to register for a data broker registry and preparing a mechanism for consumers to request data brokers delete their data to be finished by January 1, 2026.
The CCPA seeks to give California residents a way to control their personal information. They can be remembered using the acronym LOCKED:
These rights and how to exercise them should be explained in a company's privacy policy.
The CCPA applies to for profit companies that do business in California and have a gross annual revenue of over $25 million. They also apply to any company that buys, sells, or obtains information containing over 100,000 California residents or derive over 50% of their revenue buying and selling California resident's personal information.
Companies subject to the CCPA have several requirements, including but not limited to the following:
The CCPA broadly divides protected information into two categories, personal information and sensitive personal information.
Personal information is information that identifies or could be related to you or your household. It includes the following:
Sensitive personal information includes the following:
The CCPA does not apply to non-profit organizations and governmental agencies.
Certain data may be retained even if a delete request is received. This includes data that meets the following criteria:
A business found in violation of the CCPA is first give a notification. If it fails to address an alleged violation within 30 days of being notified, the California Office of the Attorney General can then impose fines. Any business that violates the CCPA may be liable for a penalty of not more than $2,500 per each unintentional violation and $7,500 per each intentional violation.
Consumers whose data "is subject to an unauthorized access and exfiltration, theft, or disclosure" as a result of a business' violation of CCPA can recover damages of $100 to $750 or the amount of actual damages, whichever is greater.
One recent example of a violation of the CCPA is the settlement with Google for $93 million dollars. They found that Google retained and used consumer location data even when the user opted out of location data.
The CCPA and GDPR provide many of the same protections and rights to consumers. They both protect a consumer's information and require similar mechanisms to request and delete data.
Differences between the GDPR and CCPA include the following:
Explore privacy controls to meet CCPA compliance requirements. Check out the top customer data privacy best practices and how data anonymization best practices protect sensitive data. Learn how to use a data privacy framework to keep your information secure, and overcome GDPR compliance challenges.
18 Dec 2023