California has just enacted the biggest privacy law in the U.S. The California Consumer Privacy Act was passed in 2018 and went into effect January 1, 2020. As of yesterday, January 1, Americans are able to demand that companies disclose what personal data they have collected about them, and also ask companies to delete that data.
As with Europe’s General Data Protection Regulation (GDPR) from 2018, at least some aspects of the California Consumer Privacy Act (CCPA) could extend beyond the state. If you’re not familiar with GDPR, it is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.1
Does the CCPA Affect My Business?
Under the new law, Californians are legally allowed to know the types or categories of information collected and see the specific information a company has about them, including their email or mailing address. The disclosure of categories could extend to all users, not just Californians, as it may be difficult for a company to know from where a user is coming. The CCPA requires companies to disclose what personal information they have collected to individual users and lets consumers request that companies to delete that data or forbid them from sharing it with third parties. Companies have 30 days to comply with the law once regulators notify them of a violation.
In many ways, the CCPA will strengthen the rules that some companies have already been applying, either on their own initiative or due to Europe’s GDPR.
What Kind of Data is Covered by the CCPA?
The CCPA defines personal data extremely broadly as anything that “is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Some examples include: name, address, IP address, email address, social security number, driver’s license number, browsing history, search history, and geolocation data. The law also addresses emerging technology by including biometric data, such as DNA or images of the eyes, fingerprints, hand, and face. “Publicly available” information that federal, state, or local governments collect and publish is not protected, including birth records, marriage records, court filings and more.
Does CCPA only Apply to California?
Yes, but this state law also applies to companies that are outside of California. Because the data privacy law covers out-of-state merchants who sell to Californians, and display websites in the state, the reality is that companies outside of California will have to comply will the CCPA.
Does CCPA Affect All Businesses?
The CCPA applies only to large companies, or those that make the sale of data a main part of their business. There are three types of businesses that are must comply: companies with more than $25 million in gross revenue, businesses with data on more than 50,000 consumers, and firms that make more than 50% of their revenue selling consumer data.
To learn more about the CCPA and how it may affect your business, check out the CCPA Fact Sheet here.