The California Consumer Privacy Act (CCPA) is a state statute designed to protect the personal information of California residents. Like the EU’s General Data Protection Regulation (GDPR), It gives residents the right to know about information being collected about them and why it’s being collected, the right to request information be deleted (with some exceptions), the right to opt-out of having their information sold, and the right to non-discrimination for exercising these rights. Only California residents have rights under the CCPA.
The CCPA only applies to for-profit businesses and those doing at least $25 million USD in annual sales. For those businesses, their responsibilities include:
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years for data sharing purposes
- Having a “Do Not Sell My Personal Information” link on the home page of their business to opt out of the sale of the resident's personal information
- Having a method for submitting data access requests, including, at a minimum, a toll-free telephone number
- Update privacy policies with newly required information, including a description of California residents' rights
- Avoid requesting opt-in consent for 12 months after a California resident opts out
Under CCPA, companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General's Office. For privacy violations, fines of up to $7,500 for each intentional violation and $2,500 for each unintentional violation can also be levied against the business.
Even if you are not a business in California that is doing $25 million USD in annual sales, you need to think about safeguarding your clients’ privacy and information. More jurisdictions plan to roll out similar privacy laws, making your business financially responsible for losses. No matter where in the world you do business it is best to make sure you are able to protect consumer data. This way, your organization is prepared for when similar regulations become law in your area.