The California Consumer Privacy Act (CCPA) which came into effect on January 1st, 2020 will undoubtably help shape the future of privacy regulations in North America. This act was passed into law on June 28th, 2018, with further amendments coming into effect on January 1st, 2023. It is intended to enhance privacy rights and data protection for consumers by legislating how organizations can store and use private data.
The CCPA applies if you are an entity that does business in the state of California and you collect personal information in addition to meeting at least one of the following criteria:
- Have annual gross revenues in excess of $25 million
- Possess the personal information of 50,000 or more consumers, households, or devices
- Earn more than half of its annual revenue from selling consumers’ personal information
If you are a company that has taken steps to comply with GDPR regulations, you will likely find that you are already in compliance with most of the requirements for this new legislation.
Rights under the CCPA
- Right to know: You can request a business disclose to you: (1) the categories and/or specific pieces of personal information they have collected about you, (2) the categories of sources for that personal information, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information that the business sells or discloses to third parties. You can make a request to know up to twice a year, free of charge.
- Right to delete: You can request an organization to delete personal information they collected from you and tell their service providers to do the same, subject to certain exceptions (such as if the business is legally required to keep the information).
- Right to opt-out of sale or sharing: You may request an organization stop selling or sharing your personal information (“opt-out”). Businesses cannot sell or share your personal information after they receive your opt-out request unless you later authorize them to do so again.
- Right to correct: You may ask businesses to correct inaccurate information that they have about you.
- Right to limit use and disclosure of sensitive personal information: You can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested.
You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information.
Only residents of California have rights under the CCPA.
Personal information under the CCPA
Personal information is information that identifies, relates to, or could reasonably be linked with a person or their household.
Examples of personal information include:
- Name
- Social security number
- Email address
- Records of products purchased
- Internet browsing history
- Geolocation data
- Fingerprints
It also includes other information that could create a profile about your preferences or characteristics.
Publicly available information does not class as personal information under the CCPA.
Sensitive Personal Information under the CCPA
Sensitive personal information is a specific subset of personal information that will directly identify you.
These include:
- Government identifiers e.g. social security numbers
- Account logins
- Financial account information including debit and credit cards
- Precise geolocation
- Contents of mail, email and text messages
- Biometric information
- Health information
- Information on racial or ethnic origin
- Religious beliefs
- Union membership
Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.