What is the California Consumer Protection Act (CCPA)?
The state of California recently passed a law requiring that certain businesses “… would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”
The law was passed in 2018 and will be enforced beginning January 1, 2020, and it contains three primary provisions:
The Right to Request Disclosure
The Right to Request Deletion
The Right to Opt-Out
This law takes a page from the book of the EU’s GDPR and ePrivacy laws, which seek to protect individual data as well as give citizens recourse when they believe their privacy rights have been infringed.
Who Is Required to Comply with CCPA?
This law only applies to Californian residents and companies, and not all companies fall within its purview:
“However, to be regarded as a business under the CCPA, a company has to meet at least one of the three following attributes (1798.140.c):
- have an annual gross revenue exceeding $25 million,
- derive 50% or more of its annual revenues from selling consumers’ personal information,
- buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices a year.”
Essentially, the law is only applicable for businesses of a certain size, gross revenue, and for whom the majority of their revenue comes from selling consumer data.
While the law might not impact many US businesses at the moment, it could be indicative of what’s to come in the next few years for the United States.
What Does CCPA Require?
The following briefly outlines what the California Consumer Privacy Act requires:
Right to Request Disclosure: “The CCPA grants the consumer “the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected” (1798.100.a).”
Right to Request Deletion: “The CCPA grants the consumer “the right to request that a business delete any personal information about the consumer which the business has collected from the consumer” (1798.105.a).”
Right to Opt-Out: “The CCPA gives the consumer the right to demand a business not to sell their personal information to third parties (1798.120.) If such a request is received, the business is prohibited to sell their personal information.”
Critics believe parts of the law are ambiguous and that it leaves some questions unanswered.
For more information, you can review the entire bill (AB-375 Privacy: Personal Information) or consult a lawyer.
If you have ensured that your business complies with the GDPR, you should be well on your way to being CCPA compliant as well.
One key differentiator between GDPR and CCPA: GDPR requires business to receive prior consent before collecting personal information, whereas CCPA requires business to disclose and forfeit information, should they be asked to do so.
You can learn more about CCPA by clicking on the links below:
Note: The above statements represent Market Vantage’s interpretation of the law and should not be used in a court of law. We strongly suggest you consult a lawyer if this matter is applicable to your business.