California Consumer Privacy Act (CCPA)

    Overview

    The California Consumer Privacy Act (CCPA) is a law that grants California residents enhanced privacy rights and consumer protections regarding their personal data. Effective January 1, 2020, the CCPA aims to give consumers more control over how businesses collect, use, and share their personal information. It requires businesses to disclose data collection practices, allows consumers to request access to or deletion of personal information, and offers the right to opt out of the sale of personal data. The law was initially enforced by the California Attorney General, with fines for non-compliance. The California Privacy Rights Act (CPRA), effective January 1, 2023, further expands upon the CCPA by adding new consumer rights, enhancing existing ones, and establishing the California Privacy Protection Agency (CPPA) as the primary enforcement authority. The CPRA introduces new obligations for businesses, such as data minimization, purpose limitation, and requirements around sensitive data. The final CCPA regulations, effective March 23, 2023, provide detailed guidelines on how businesses must comply with both CCPA and CPRA requirements, ensuring alignment and enforcement of consumer privacy rights in California.

     

    Regulation Summary

    Timeline
    • June 28, 2018: CCPA signed into law.
    • January 1, 2020: CCPA becomes enforceable.
    • July 1, 2020: California Attorney General begins enforcement actions.
    • November 3, 2020: CPRA passed, expanding the CCPA.
    What Businesses Are Affected
    • Companies operating in California or collecting data from California residents.
    • Businesses with annual gross revenues over $25 million.
    • Entities buying, receiving, or sharing data of 50,000+ consumers, households, or devices.
    • Companies earning 50% or more of revenue from selling personal data.
    Exemptions
    • Non-profits.
    • Personal data collected for employee or contractor-related purposes.
    • Some financial and health data already regulated by other laws (e.g., GLBA, HIPAA).
    Responsibilities for Businesses
    • Implement a “Do Not Sell My Personal Information” link.
    • Honor consumer requests to access, delete, or opt-out.
    • Provide notice of the categories of data collected, the purpose, and the third parties receiving data.
    Specific Responsibilities for Website Owners
    • Display a prominent opt-out link for data sales.
    • Present a clear privacy policy with detailed information.
    • Enable verifiable requests for accessing or deleting data.
    Additional Requirements
    • Mandatory training for personnel handling consumer data requests.
    • Appoint a Data Protection Officer (if necessary).
    • Enhanced protections for minors under 16.
    Data Subject Rights
    • Access: Know what data is collected.
    • Delete: Request data deletion.
    • Opt-Out: Prevent the sale of personal data.
    • Know: Understand how personal data is used and shared.
    • Non-Discrimination: Equal service regardless of exercising rights.
    Supervisory Authority
    • Authority: California Attorney General and California Privacy Protection Agency (CPPA).
    • Fines: Up to $7,500 per intentional violation and $2,500 per unintentional violation.
    • Private Right of Action: Consumers can sue in cases of data breaches.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596