California Consumer Privacy Act

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
California Consumer Privacy Act
Seal of California.svg
California State Legislature
Full nameCalifornia Consumer Privacy Act of 2018[1]
StatusPassed
IntroducedJanuary 3, 2018
Signed into lawJune 28, 2018
GovernorJerry Brown
CodeCalifornia Civil Code
Section1798.100
ResolutionAB-375 (2017–2018 Session)
WebsiteAssembly Bill No. 375

The California Consumer Privacy Act (CCPA) is a bill that enhances privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code.[2] Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.[3][4]

Amendments to the CCPA, in the form of Senate Bill 1121, were passed on September 23, 2018.[5][6] The CCPA becomes effective on January 1, 2020.[7]

Intentions of the Act[edit]

The intentions of the Act are to provide California residents with the right to:

  1. Know what personal data is being collected about them.
  2. Know whether their personal data is sold or disclosed and to whom.
  3. Say no to the sale of personal data.
  4. Access their personal data.
  5. Request a business delete any personal information about a consumer collected from that consumer.[8]
  6. Not be discriminated against for exercising their privacy rights.

Compliance[edit]

The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, which does business in California, and satisfies at least one of the following thresholds:

  • Has annual gross revenues in excess of $25 million;
  • Possesses the personal information of 50,000 or more consumers, households, or devices; or
  • Earns more than half of its annual revenue from selling consumers' personal information.[9]

Responsibility and accountability[edit]

  • Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes (Cal. Civ. Code § 1798.120(d)).
  • “Right to Say No to Sale of Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information (Cal. Civ. Code § 1798.102). [10]
  • Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number (Cal. Civ. Code § 1798.130(a)).[11]
  • Update privacy policies with newly required information, including a description of California residents' rights (Cal. Civ. Code § 1798.135(a)(2)).[12]
  • Avoid requesting opt-in consent for 12 months after a California resident opts out (Cal. Civ. Code § 1798.135(a)(5)).[13]

Sanctions and remedies[edit]

The following sanctions and remedies can be imposed:

  • Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents (Cal. Civ. Code § 1798.135(c).[14]
  • Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General's Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).[15]
  • A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).[16]

Definition of personal data[edit]

CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.[2]

An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.[17]

It does not consider Publicly Available Information as personal.[18]

CCPA differs in definition of personal information from GDPR as it extends that to household in comparison of GDPR that classifies consumer information as personal only.[19]

See also[edit]

References[edit]

  1. ^ "AB-375, Chau. Privacy: personal information: businesses". California State Legislature. Retrieved 19 November 2018.
  2. ^ a b The California Consumer Privacy Act of 2018.
  3. ^ California Unanimously Passes Historic Privacy Bill Published by wired.com, retrieved on March 27, 2019
  4. ^ "Bill Text - AB-375 Privacy: personal information: businesses". Leginfo.legislature.ca.gov. Retrieved 27 November 2018.
  5. ^ "Bill Text - SB-1121 California Consumer Privacy Act of 2018". leginfo.legislature.ca.gov. Retrieved 2019-01-30.
  6. ^ "How the new California data privacy act could impact all organizations". Information Management. Retrieved 2019-01-30.
  7. ^ "2019 is the Year of . . . CCPA? [Infographic]". The National Law Review. January 8, 2019. Retrieved 2019-01-30.
  8. ^ Senate Bill No. 1120, Chapter 735, Sec.2, 1798.105
  9. ^ "CCPA Guide: Are You Covered by the CCPA". JD Supra. Retrieved 2019-01-30.
  10. ^ "Control Your Personal Information | CA Consumer Privacy Act". www.caprivacy.org. Retrieved 2019-01-30.
  11. ^ Valetk, Harry A.; December 18, Brian Hengesbaugh |; PM, 2018 at 12:05. "A Practical Guide to CCPA Readiness: Implementing Calif.'s New Privacy Law (Part 2)". Corporate Counsel. Retrieved 2019-01-30.
  12. ^ "Today's Law As Amended". leginfo.legislature.ca.gov. Retrieved 2019-01-30.
  13. ^ Captain, Sean (2018-07-02). "Here are 5 key details in California's new privacy law". Fast Company. Retrieved 2019-01-30.
  14. ^ "Bill Text - SB-1121 California Consumer Privacy Act of 2018". leginfo.legislature.ca.gov. Retrieved 2019-01-30.
  15. ^ "Bill Text - SB-1121 California Consumer Privacy Act of 2018". leginfo.legislature.ca.gov. Retrieved 2019-01-30.
  16. ^ "Bill Text - SB-1121 California Consumer Privacy Act of 2018". leginfo.legislature.ca.gov. Retrieved 2019-01-30.
  17. ^ "TITLE 1.81. CUSTOMER RECORDS[1798.80 - 1798.84]". Law No. DIVISION 3. OBLIGATIONS [1427 - 3273] e of January 1, 2010. California State Legislature. This article incorporates text from this source, which is in the public domain.
  18. ^ "Privacy: personal information: businesses.". Assembly Bill No. 1798.140/(o)(2) of June 28, 2018. California State Legislature.
  19. ^ Fielding, John (Feb 4, 2019). "Four differences between the GDPR and the CCPA". HelpNet Security.

External links[edit]