California State Legislature
The California Consumer Privacy Act of 2018 (CCPA) is a consumer protection law that grants California residents increased control over their personal information collected by businesses. The law provides various privacy rights to consumers, including the right to know about the personal information collected and its use, the right to request the deletion of personal information (with some exceptions), the right to opt out of the sale or sharing of their data, and protection against discrimination for exercising their CCPA rights. The CCPA became effective in January 2020. In November 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act (CPRA), which updated the CCPA with new privacy protections effective January 1, 2023. These include the right for consumers to correct inaccurate personal information and limit the use of sensitive data collected about them.
The CCPA places responsibilities on businesses, service providers, and third parties, as well as contractors, the latest being a category introduced by the CPRA. Business is defined in the CCPA as a for-profit entity that collects personal information, does business in California, and meets at least one of these three thresholds: it either has a gross annual revenue exceeding $25 million, engages in the buying, selling, or sharing of personal information from 100,000 or more consumers or households annually, or derives 50% or more of its annual revenues from the sale or sharing of consumers' personal information. The CCPA applies to a wide range of businesses, including data brokers.
The CCPA contains general duties for collection of personal information, as well as rights that it confers to consumers. Consumers in CCPA cover natural persons residing in California. General duties include the duty to inform consumers about the collection of the data, covering both businesses and third parties, businesses' requirement to have in place a data sharing agreement between the third parties, service providers, and contractors they engage with, the limitation of the processing for the initial purpose of the processing, and the requirement to implement data security measures. In addition to the duties for collection of personal data, the CCPA contains the following rights conferred to California consumers: the right to be informed about what personal data businesses collect, its usage, and sharing; the right to delete personal data; the right to opt-out of personal data sale or sharing; and the right of no retaliation for exercising CCPA rights. It also includes rights to rectify inaccurate personal information and restrict the use and disclosure of sensitive data. Businesses must fulfil various obligations connected to the consumer's rights, such as responding to consumer requests to exercise the rights and providing relevant privacy practice notifications.