What is CCPA?
Overview of CCPA
The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, USA. Enacted on January 1, 2020, the CCPA gives consumers more control over the personal information that businesses collect about them.
The CCPA empowers California residents with the right to access, delete, and opt-out of the sale of their personal information, giving them greater control over their privacy. By requiring businesses to disclose their data collection and sharing practices, the CCPA promotes transparency and accountability.
Who Must Comply with CCPA?
CCPA applies to any for-profit business that operates in California and meets at least one of the following criteria:
Annual Gross Revenue: The business has annual gross revenues exceeding $25 million.
Data Volume: The business buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices annually.
Revenue from Data Sales: The business derives 50% or more of its annual revenues from selling California residents’ personal information.
Updates Under the California Privacy Rights Act (CPRA)
On January 1, 2023, the California Privacy Rights Act (CPRA) introduced key updates to privacy regulations, expanding the scope of the California Consumer Privacy Act (CCPA). The CPRA applies to for-profit businesses that:
Have annual gross revenues over $25 million.
Derive more than 50% of their annual revenue from selling or sharing California residents’ personal information.
Key Changes:
Higher Data Threshold: The threshold for processing or sharing personal information increased from 50,000 to 100,000 California residents or households.
Inclusion of B2B Data: The CPRA now covers business-to-business (B2B) data.
New Enforcement Body: The California Privacy Protection Agency (CPPA) oversees and enforces the CPRA.
Expanded Consumer Rights:
Right to Correction: Consumers can have inaccurate data collected about them corrected.
Right to Limit Use of Sensitive Information: Consumers can limit the use of data categorized as sensitive personal information.
Right to Automated Decision-Making Information: Consumers can request information about automated decision-making processes and their likely outcomes.
Right to Opt-Out of Automated Decision-Making: Consumers can opt-out of the use of automated decision-making technology regarding their personal information.
The CPRA also includes “sharing” of data, expanding the scope beyond the “selling” covered by the CCPA. This regulation modifies existing consumer rights and introduces several new rights to further protect consumer privacy.
Risks of Not Complying with CCPA
Non-compliance with the California Consumer Privacy Act (CCPA) can result in substantial fines and legal actions. Businesses can face fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. If the violation involves the personal information of minors under 16, the penalties can be even higher.
Additionally, consumers have the right to file private lawsuits against businesses for data breaches involving unauthorized access, theft, or disclosure of personal information. The California Privacy Protection Agency (CPPA) may provide a 30-day period to rectify violations, but failure to comply within this period can lead to continued fines and legal actions.
How to Comply with CCPA?
Under the California Consumer Privacy Act (CCPA), cookies are considered personal information. Businesses must inform consumers about the use of cookies and obtain their consent.
Understanding Cookies and CCPA Compliance: Cookies are small files stored on a user’s computer or device by websites. They can contain personal data such as browsing history or preferences. The CCPA classifies this information as personal because it can identify, describe, or be linked to a particular consumer or household.
Informing Consumers: Businesses must clearly disclose their use of cookies. This is typically done through a cookie banner or notice that appears when a user first visits the website. The notice should explain what cookies are, how they are used, and their purpose.
Obtaining Consent: Under the CCPA, businesses must obtain consumer consent before using cookies. This is usually done through an opt-in mechanism on the cookie notice or banner. Consumers must actively agree to the use of cookies by clicking a button or checkbox indicating their consent. Silence or inactivity cannot be considered as consent.