California Consumer Privacy Act of 2018
What are the major provisions of the California Consumer Privacy Act, 2018 (the “CCPA”)
The CCPA gives “consumers” (defined as natural persons, who are California residents) four basic rights in relation to their personal information:
- The Right To Know, through a general privacy policy, and with more specifics available upon request
- what personal information a business has collected about them
- where it was sourced/collected from
- what it’s being used for, whether it’s being disclosed or sold
- to whom it’s being disclosed or sold to
- The Right To Have A Business Delete Your Personal Information, with some exceptions
- The Right To “Opt Out” of allowing a business to sell their personal information to third parties (or, for those under the age of 16 years, the right not to have their personal information sold absent their, or their parent’s opt-in);
- The Right To Receive Equal Service And Pricing from a business, even if they exercise their consumer privacy rights under the CCPA.
What is the definition of “personal information” under CCPA?
For purposes of CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Who must comply with CCPA?
CCPA will apply to for-profit businesses (regardless of physical address) that collect and control California residents’ personal information, do business in the State of California, and:
- Have annual gross revenues in excess of $25 million; or
- Receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or
- Derive 50 percent or more of their annual revenues from selling California resident’s personal information.
Who is protected by CCPA?
CCPA requires that the protections be made available to “consumers,” who are defined as natural persons, who are California residents.
How will CCPA be enforced?
CCPA will be enforced by the California Attorney General, subject to a thirty-day cure period. The fines are capped at $2,500 per violation and $7,500 per intentional violation.
There is also a right to private action against the business or service provider for data breach violations.
When will the CCPA become effective?
The CCPA will take effect on January 1, 2020. The final compliance requirements will likely evolve between now and January 1, 2020. There is already an amendment awaiting the California Governor’s signature. On August 31, 2018, the California State Legislature passed SB 1121, making limited and largely technical amendments to the CCPA.
However, the compliance deadline of January 2020 has not been changed and while many believe that 2019 will bring additional changes to the CCPA, it appears that the CCPA’s core requirements will stay intact.
CENTRL will continue to monitor the changes to the CCPA and updating its Privacy platform with features to track compliance.
See how CENTRL can help: click here