The California Consumer Privacy Act (CCPA), enacted in 2018, grants consumers greater control over their personal information and provides guidelines for businesses to comply with the law. The California Privacy Rights Act (CPRA), an amendment to CCPA, will became effective in January 2023, enhancing consumer privacy protections.
CCPA Overview
Initially established in 2018, CCPA went into full effect in 2020, influenced by the data protection and privacy principles of the EU's General Data Protection Regulation (GDPR). The CPRA, added to CCPA in 2020, will take effect in January 2023.
The CCPA regulations are structured into six articles:
- Article 1: General Provisions
- Article 2: Notices to Consumers
- Article 3: Business Practices for Handling Consumer Requests
- Article 4: Verification of Requests
- Article 5: Special Rules Regarding Consumers Under 16 Years of Age
- Article 6: Non-Discrimination
Entities Required to Comply with CCPA
Under CCPA, an organization qualifies as a business if it is a for-profit legal entity that collects personal information (PI) of California consumers, determines the purpose and means of PI processing, and meets one or more of the following conditions:
- Annual gross revenue exceeding $25 million
- Annual buying, selling, or sharing of PI for 50,000 or more consumers or households
- Deriving 50% or more of its annual revenue from selling consumers' PI
Businesses do not need to be physically present in California to be obligated to comply with CCPA requirements.
CCPA Rights and Regulations
Similar to GDPR, CCPA grants several rights to consumers regarding their personal data:
- General Duties of Businesses that Collect Personal Information
- Consumers' Right to Delete Personal Information
- Consumers' Right to Correct Inaccurate Personal Information
- Consumers' Right to Know What Personal Information is Being Collected. Right to Access Personal Information
- Consumers' Right to Know What Personal Information is Sold or Shared and to Whom
- Consumers' Right to Opt Out of Sale or Sharing of Personal Information
- Consumers' Right to Limit Use and Disclosure of Sensitive Personal Information
- Consumers' Right of No Retaliation Following Opt-Out or Exercise of Other Rights
CCPA Enforcement
With the introduction of CPRA, the enforcement authority transitions from the California Office of the Attorney General to the newly established California Privacy Protection Agency (CPPA). The CPPA will be responsible for compliance inquiries and implementing CCPA regulations.
The CPPA comprises subject matter experts in privacy, technology, and consumer rights. The board consists of a chairperson and five members nominated by the Attorney General, Senate Rules Committee, and Speaker of the Assembly. Additionally, the Governor assigns the chairperson and one member of the board. The CPRA grants the California Privacy Protection Agency full oversight in enforcing the California Consumer Privacy Act, ensuring compliance with privacy regulations.
Fines Associated with CCPA
Administrative enforcement is covered under 1798.155. While not verbatim, each violation of the provisions outlined in this section may result in fines:
- Up to $2,500 or $7,500 for intentional violations per violation
- The CPPA has the authority to investigate complaints regarding personal information infractions and enforce penalties.
- Fines collected under this title, along with settlement funds, are allocated to the Consumer Privacy Fund.
Content found within this document is based on Carbide’s understanding of and the information provided by the official website and documentation of the CCPA