The 2018 California Consumer Privacy Act (CCPA) is the first state-level comprehensive privacy law in the U.S. It applies broadly to businesses or organizations, including data brokers, that collect personal information from California consumers, imposing extensive transparency and disclosure obligations.
It also creates consumers’ rights to know what personal data is being used and how it is shared, the right to delete personal data wherever lawful or reasonable, the right to opt-out of the for-profit sale of their data to third-parties (with exceptions), and the right to non-discrimination regarding their choice to exercise the above rights.
In Nov. 2020, California passed the California Privacy Rights Act(CPRA), which will amend the CCPA in 2023 and includes additional consumer protections and business obligations. Read more about the CPRA here.
How it applies in reality
The law applies to all for-profit businesses or data brokers that “have a gross annual revenue of over $25 million; buy, receive, or sell the personal information of 50,000 or more California households, residents, or devices; or derive 50% or more of their annual revenue from selling California residents personal information.” Such businesses must now give more detailed and prominent explanations about their privacy practices and may be obligated to respond to requests for access to their data processing activities.
Request to know:
Businesses must offer at least 2 options for submitting a request. A standard method is through an email account created specifically for this purpose. After a request to know has been submitted, the organization has 45 days to respond but may take up to 90 days if they notify the consumer.
Requests to delete information:
The requests are managed similarly, and adhere to the same deadlines as the request to know.
The right to opt-out of the sale of personal information:
Organizations in the business of selling data are required to post an unambiguous “Do Not Sell My Personal Information” link on their websites, and must not require a consumer to sign up for an account in order to make this request. Requests to opt-out will only be denied if the sale represents a legal obligation for the organization, or if the information is exempt in the legislation, such as medical documentation or credit reporting.
The right to non-discrimination:
An organization cannot deny a consumer access to their goods and services in response to a consumer exercising their rights. Unless the sale of a consumer’s data is a necessary component to their service, that is, the transaction cannot be completed without it, the organization is obligated to serve the consumer. Organizations are, however, allowed to offer special promotions and discounts in exchange for a consumer’s participation in their data collection programs, but only “if the financial incentive offered is reasonably related to the value of your personal information."