The California Consumer Privacy Act of 2018 (CCPA or the Act) relates to companies that collect personal information from consumers. The Act arose as a way to override a ballot initiative proposed by a private citizen. As such, the CCPA is recognized as having been rushed through the legislative process and having a number of flaws as a result. The CCPA became effective on January 1, 2020; however, based on the ambiguity of the CCPA as currently written, the California Attorney General is to release guidance memorandums. The CCPA is to be enforced by the Attorney General after July 1, 2020. Between January 1, 2020, and July 1, 2020, the CCPA can only be enforced through a private cause of action. In an increasingly online world where data hacks and privacy breaches are becoming more commonplace, the CCPA aims to put the consumer in more control of his or her personal information collected by certain businesses.
A business is subject to the CCPA if the business: (1) collects consumers’ personal information and determines the purposes and means of processing the information and (2) either (a) has a gross annual revenue exceeding $25 million; (b) buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices, (c) or derives 50 percent or more of its annual revenue from selling consumers’ personal information. The Act will also apply to those businesses which control or are controlled by a business which fits one of the above criteria and shares common branding with that business. The CCPA will not apply to your business unless your business satisfies both of these requirements.
The CCPA provides consumers with five distinct rights relating to their personal information: (1) the right to know, (2) the right to deletion, (3) the right to opt-out, (4) the right for a minor to give consent via opt-in, and (5) the right to non-discrimination.