In effect since January 1, 2020.
Organizations subject to CCPA must meet the following criteria:
- Have annual gross revenues above $25 million;
- Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; or
- Derive 50% or more of its annual revenues from selling consumers' personal information.
Key provisions of the CCPA:
- Right to know: Consumers have the right to request that businesses disclose what personal information they have collected about them, the categories of sources from which the data was collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom the information was shared;
- Right to delete: Consumers have the right to request that organizations delete their personal information, subject to certain exceptions;
- Right to opt-out of the sale of personal information: Consumers have the right to opt out of their personal data. Organizations must provide a "Do Not Sell My Personal Information" link on their websites and must honor opt-out requests from consumers;
- Right to non-discrimination: Consumers have the right not to be discriminated against for exercising their rights under the CCPA, including the right to opt-out of the sale of their personal information;
- Notice at collection: Organizations must provide notice to consumers at or before the point of collection of their personal information, disclosing the categories of data to be collected and the purposes for which the information will be used;
- Access to specific pieces of information: Consumers have the right to request specific pieces of personal information that an organization has collected about them and to receive that information in a portable and readily usable format;
- Notice of data breaches: In the event of a data breach, organizations must provide notice to affected consumers as soon as possible but no later than 45 days after the discovery of the violation;
- Obligations of service providers: Service providers that process personal information on behalf of organizations must implement reasonable security measures to protect the personal data and are prohibited from retaining, using, or disclosing the information for any purpose other than as specified in their agreement.
Organizations that fail to comply with the CCPA can face significant fines, including fines of up to $7,500 per violation. The CCPA also gives consumers the right to bring a private right of action against businesses that suffer a data breach due to the organization's failure to implement reasonable security measures.
The CCPA is a complex law, and organizations operating in California should seek professional advice to ensure that they are fully compliant with the regulation.