One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
As the United States' first comprehensive data privacy law, the California Consumer Privacy Act (CCPA) is a landmark piece of legislation. It promotes transparency on the part of businesses and gives Californians more control over how their personal data is collected, used, and sold.
For consumers, this means they will be able to find more details in a business's privacy policy regarding what personal information is being collected, why it is collected, and whether that information is disclosed to other parties. They also have the right to make certain privacy requests: requests to know what personal information has been collected, requests to delete that information, and requests to opt out of the sale of their personal information.
For businesses, being CCPA compliant means honoring these consumer privacy rights. They must carefully examine their data collection and usage practices, make all the necessary disclosures in their privacy policy, and respond to privacy requests in a way that meets all legal requirements. They must also institute reasonable cybersecurity measures to prevent data breaches.
Here are the CCPA's key features at a glance.
Want to learn more? Read our Complete CCPA Guide.
As a California law, the CCPA grants privacy rights to California residents ("consumers"), defined as:
It's an inclusive definition that does not require a business-customer relationship. Employees and job applicants are considered consumers, just like anyone else.
The CCPA's definition of a business is a for-profit entity that collects personal information, does business in California, and meets at least one of these three thresholds:
The third threshold requirement can be a bit deceptive. Under the CCPA’s definition, “sharing” personal information covers a lot of everyday activity, including the use of interest-based advertising. For example, when a customer clicks on a retargeting ad and makes a purchase, that revenue is “derived” from selling consumers’ personal information and should be included in this threshold calculation.
In some limited circumstances, the CCPA can also The California Privacy Protection Agency
The CCPA does not create a private right of action for consumers to sue businesses over violations of their privacy rights. However, it does create a private for consumers in the event of a data breach. According to the CCPA, consumers can sue a business if their nonencrypted and nonredacted personal information is subject to unauthorized access due to the business's failure to implement and maintain reasonable security procedures. Plaintiffs can recover statutory damages of up to $750 per consumer per incident, or actual damages, whichever is greater. This provision is likely to give rise to a new type of class-action lawsuit.
Read more:
The CCPA takes a lot of inspiration from the European Union's General Data Protection Regulation (GDPR), but they are not identical. They use different definitions, have slightly different consumer rights, and are enforced differently. In many ways, the GDPR is more stringent, so businesses that are already compliant with the European law should find it easy to become CCPA compliant.
Read more:
Becoming CCPA compliant requires an examination of your business's current data practices from every angle, as well as a complete understanding of how the law's various components work together. The process can be divided into four steps:
Read more:
Getting Started with CCPA Compliance
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.