Over the past three years, we have blogged extensively about the California Consumer Privacy Act ("CCPA" or the "Act") and the multiple amendments that have been made to it. All of the CCPA changes can make one's head spin. "CCPA for Dummies" is an attempt to strip down the Act and make it easier to understand the regulations by highlighting its/their key elements.
California passed the CCPA on June 28, 2018. Initially introduced by privacy activists as a ballot initiative, the CCPA was hastily put together by the California State legislature in an effort to obtain some control over the ability to amend or repeal the Act in the future. The CCPA went into effect on January 1, 2020, and enforcement of the Act began on July 1, 2020. Four modifications have been made to the regulations since that time. In addition, Californians recently voted to approve Proposition 24, the California Privacy Act ("CPRA"), which amended the CCPA yet again, to significantly expand consumer privacy rights.
Who Does the CCPA Apply To?
The CCPA applies to businesses that: 1) do business in the State of California; 2) collect California State resident personal information; and 3) meet at least one of the following thresholds:
- Have annual gross revenue of over $25 million in total global revenue (regardless of where the revenue is derived from);
- Buy, receive, sell or share the personal information of 50,000 or more consumers (a "consumer" is defined as a California resident), households or devices for commercial purposes each year; or
- Derive 50% or more of annual revenue from selling consumer personal information.
Businesses that meet or exceed any of the above thresholds should, if they have not already, diligently work towards achieving CCPA compliance.
The CCPA provides California residents with the right to request that businesses: 1) disclose to them what personal information they have and what they do with that information; 2) delete their personal information; and 3) not to sell their personal information. For businesses to be CCPA compliant they must provide consumers with appropriate forms related to such requests. These CCPA forms (and privacy policies) should be accessible to consumers online and in physical business locations.
Enforcement of the CCPA
The California State Attorney General has started to bring enforcement actions against businesses that it believes have violated the CCPA. Typically, businesses are first provided with a summary of their purported CCPA violations and given thirty (30) days to cure and respond to the Office of the Attorney General. Civil penalties can range from $2,500 for non-intentional CCPA violations, up to $7,500 for intentional violations.
Going Beyond CCPA for Dummies
CCPA for Dummies is only an introduction to some of the measures that businesses need to take in order to become CCPA compliant. As the CCPA regulations continue to evolve, businesses will, in turn, need to adapt their consumer privacy practices. Consulting with experienced consumer privacy attorneys will help in the effort to comply with CCPA regulations. Remember - no one wants to become the subject of a California Attorney General investigation.
Related Blog Posts:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.