California's privacy law, the California Consumer Privacy Act (CCPA), grants consumers certain rights over the personal information businesses collect about them and requires businesses to inform consumers about how they collect, use, and retain their personal information. The CCPA only applies to entities that do business in California, satisfying thresholds such as annual revenues above $25 million, any organization that processes personal data of more than 50,000 individuals, and those entities that acquire 50% or more of their revenue from selling data.
While the CCPA has inspired similar laws in other states, it does not apply nationwide.
Characteristics | Values |
---|---|
Scope | California residents only |
Businesses covered | For-profit businesses with gross annual revenue of over $25 million, that buy, sell, or share the personal information of 100,000 or more California residents or households, or derive 50% or more of their annual revenue from selling California residents' personal information |
Rights granted | Right to know, right to delete, right to opt-out of sale or sharing, right to correct, right to limit use and disclosure of sensitive personal information, and right to non-discrimination |
Enforcement | California Attorney General, California Privacy Protection Agency, or private right of action for breaches of unencrypted personal information |
What You'll Learn
The California Consumer Privacy Act (CCPA)
The CCPA gives California residents the following rights:
- The right to know about the personal information a business collects about them and how it is used and shared.
- The right to delete personal information collected from them (with some exceptions).
- The right to opt out of the sale or sharing of their personal information.
- The right to non-discrimination for exercising their CCPA rights.
- The right to correct inaccurate personal information that a business has about them.
- The right to limit the use and disclosure of sensitive personal information collected about them.
The CCPA applies to for-profit businesses that do business in California and meet at least one of the following:
- Have a gross annual revenue of over $25 million.
- Buy, sell, or share the personal information of 100,000 or more California residents or households.
- Derive 50% or more of their annual revenue from selling California residents' personal information.
The CCPA does not apply to nonprofit organizations or government agencies.
FMLA Laws: Do Foreign Companies Need to Comply?
You may want to see also
The right to know
The California Consumer Privacy Act (CCPA) gives California residents the right to know what personal information businesses have collected about them and how it is used and shared. This means that California residents can request that a business disclose:
- The categories and/or specific pieces of personal information they have collected.
- The categories of sources for that personal information.
- The purposes for which the business uses that information.
- The categories of third parties with whom the business shares the information.
- The categories of information that the business sells or discloses to third parties.
California residents can make a request to know up to twice a year, free of charge. Businesses must respond to these requests within 45 calendar days and can extend this deadline by another 45 days if they notify the requester.
The CCPA was passed in 2018 and was the first comprehensive consumer privacy law in the United States. It gives consumers more control over the personal information that businesses collect about them. The CCPA applies to for-profit businesses that do business in California and meet certain criteria related to their revenue, the amount of personal information they buy, sell, or share, and the proportion of their revenue derived from selling personal information.
Diplomats and Legal Boundaries: What Laws Apply?
You may want to see also
The right to delete
The California Consumer Privacy Act (CCPA) gives consumers the right to request that businesses delete their personal information. Once a business verifies the request, it must delete the personal information. However, there are exceptions to this right. For example, if a business is legally required to keep the information, then it is exempt from the obligation to delete it. Other exceptions include:
- Completing a transaction
- Providing a service
- Ensuring the security and integrity of the personal information
- Complying with legal obligations
Businesses have 45 days to respond to a request to delete and may extend this deadline by another 45 days if necessary. If a business fails to comply with a request to delete, it may be fined up to $750 per incident.
Does Justin Bieber Stand Above the Law?
You may want to see also
The right to opt-out
The California Consumer Privacy Act (CCPA) grants California residents the right to opt out of the sale of their personal information. This means that California consumers can request that businesses stop selling or sharing their personal data. The CPRA, which came into effect on January 1, 2023, amended the CCPA and added new privacy protections, including the right to correct inaccurate personal information and to limit the use and disclosure of sensitive personal information.
The CCPA opt-out requirements include the duty to provide consumers with a link and another mechanism for opting out. The "Do Not Sell My Personal Information" link is crucial for compliance and should be visible and easily accessible on a business's website, typically in the footer of the homepage. This link allows consumers to opt out of the sale of their personal information with just one click.
Businesses must also respond to opt-out requests submitted over other communication channels, such as email. Additionally, they must comply with signals from universal opt-out mechanisms, such as the Global Privacy Controls (GPC), which allow users to set their privacy preferences across all websites through their browser settings.
The CCPA opt-out right is a significant component of California's consumer privacy laws, giving consumers control over their personal data and ensuring businesses adapt to new obligations that prioritize consumer privacy.
Indecent Exposure Laws and Minors in Ohio
You may want to see also
The right to correct
The California Consumer Privacy Act (CCPA) gives California residents the right to correct inaccurate personal information that businesses have about them. This right was added to the CCPA by Proposition 24, the California Privacy Rights Act (CPRA), which came into effect on January 1, 2023.
To submit a request to correct their personal information, consumers should review the business's privacy policy, which should include instructions on how to submit such a request. Businesses are required to designate at least two methods for submitting requests, such as an email address, website form, or hard copy form. One of these methods must be a toll-free phone number, and if the business has a website, one method must be through the website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests.
Businesses have 45 calendar days to respond to a request to correct, and they can extend this deadline by another 45 days (90 days total) if they notify the consumer. There are some instances in which a business may deny a request to correct, including if they determine that the information is accurate based on the totality of the circumstances, or if they cannot verify the identity of the person making the request.
Applying Early Decision to Columbia Law: Is It Worth It?
You may want to see also
Frequently asked questions
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, sell, or share the personal information of 100,000 or more California residents or households; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information, to direct businesses not to sell or share your personal information, to correct inaccurate information that they have about you, and to limit businesses’ use and disclosure of your sensitive personal information.
Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.