The CCPA is the California Consumer Privacy Act, a data privacy law introduced in 2018 and enacted in 2020. It protects some of Californians’ personal information and their rights to maintain some control over that information. The CCPA covers all California residents, which means that any businesses that are covered by the law and have customers in California must comply with it, even if the business is in another state or continent. All for-profit companies with gross revenue of $25 million are bound by the CCPA, as well as businesses with personal information on 50,000 customers.
The rights that the CCPA gives California residents are:
- The right to know: businesses must provide information for customers explaining what data is collected and how that data is used, including which third parties received the data.
- The right to delete: customers can request that certain information be deleted from a business’s database. They can also request that inaccurate information be deleted or corrected.
- The right to opt out: every business website should have a clearly defined button for customers to select “Do Not Sell My Personal Information” if they don’t want that business to sell their information. Customers can also learn whether a business is selling their information by submitting a request for that information.
- A notice at collection: consumers have a right to receive a notice when and why their information is collected. The notice at collection must also have a Do Not Sell link if the customer’s data will be sold to third parties so that the customer has the option of preventing the business from selling their information.
These regulations do have some exceptions, and only certain businesses are required to comply with them. For example, nonprofit organizations are not bound by CCPA, and neither are certain credit reporting agencies. California residents are also limited in the legal actions they can take when businesses don’t meet CCPA regulations. They may only sue in certain cases of data breach. The California attorney general can take action against a business that has run afoul of the law, but the California government website states that the attorney general does not directly represent residents or their complaints against businesses.
The CCPA – and businesses’ scramble to comply with its strictures – have highlighted the proliferation of personal data sales. While businesses rely on huge amounts of customer information to market products and manage customer relationships, privacy regulations remind consumers and businesses alike that using others’ data is a privilege, not a right. The California Privacy Rights Act (CPRA), part of the November 2020 ballot, would amend and strengthen the CCPA and give businesses around twelve to eighteen months to put it into place.