The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.
The effective date of the CCPA is January 1, 2020. It is the first law of its kind in the United States.
The three CCPA thresholds for businesses
CCPA applies to any for-profit businesses in the world that sells the personal information of more than 50,000 California residents annually, or have an annual gross revenue exceeding $25 million, or derives more than 50 percent of its annual revenue from selling the personal information of California residents.
Sale of PI is defined in the CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” (1798.140.t1).
If a company shares common branding (i.e. shared name, service mark or trademark) with another business that is liable under the CCPA, the company will be subject to CCPA compliance too.
Under the CCPA, California residents (“consumers”) are empowered with the right to opt out of having their data sold to third parties, the right to request disclosure of data already collected, and the right to request deletion of data collected.
Additionally, California residents have the right to be notified and the right to equal services and price (i.e. cannot be discriminated against based on their choice to exercise their rights).
Failure to comply with the CCPA can result in fines for businesses of $7,500 per violation and $750 per affected user in civil damages for businesses.
The power to enforce the CCPA lies with the office of the Attorney General of California, who has until July 2020 to specify enforcement regulation.
However, the interim period between January and July 2020 is not a grace period, and businesses are liable for civil lawsuits from their data collection and selling from January 1, 2020.