California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is the first privacy law in the United States to regulate the collecting, managing, and selling of website users' personal information. It was signed in 2018 and became effective on January 1, 2020. The CCPA applies to California residents, which are called Consumers in the law. Read the full text of the California Consumer Privacy Act on the California Legislative Information website.
What Organizations Are Subject to the CCPA?
The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, conducts business in California, and satisfies at least one of the following criteria:
- Sales of consumer data account for 50% (or more) of annual revenue.
- The business has total revenues of over $25 million.
- The organization sells, rents, receives, or purchases consumer information on 50,000 (or more) individuals.
Exceptions for Organization under the CCPA
The following organizations are exempted from the CCPA:
- Financial institutions, such as subject to the Gramm-Leach-Bliley Act (GLBA).
- Healthcare institutions, that treat personal data by adhering to other laws, such as the Health Insurance Portability and Accountability Act (HIPAA).
Penalties for not complying with the CCPA
Failure to comply with the CCPA can result in fines for businesses of $2,500 for each unintentional violation or $7,500 for each intentional violation, and from $100 to $750 per affected consumer. If the website has many users, the penalty could reach millions of dollars.
Consumers' Rights under the CCPA
California's consumers have these main rights under the CCPA:
- Right to notice. Consumers have the right to know what personal data is being collected about them and the purposes for which the information is being used.
- Right to know. Consumers have the right to know the third parties with whom the business shares the information and whether their personal data is sold or disclosed.
- Right to disclosure. Consumers have the right to access their personal data upon request.
- Right to opt-out. Consumers have the right to agree or disagree to collect, manage, or sell their personal data.
- Right to deletion. Consumers have the right to ask for the deletion of their personal data.
- Right to equal services and prices. Consumers must not be discriminated against for exercising their privacy rights.
What is considered personal information?
Under the CCPA, personal information is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Such personal information could be direct identifiers (such as a real name, alias, postal address, unique personal identifier), unique identifiers (such as online identifier, IP address, email address, account name, social security number, driver's license number, license plate number, passport number), internet activity (such as browsing history, search history), biometric data, geolocation data, sensitive information (such as health data, personal characteristics, behavior, religious or political convictions, sexual preferences, education data, financial and medical information, credit or debit card number, health insurance information), or professional or employment-related information.
Publicly available information is not considered personal information.
Cookie compliance regarding the CCPA
Cookies are used to collect website users' personal information and to get Cookie Consent. Cookies and other website tracking technologies are classified as unique identifiers and take part of personal information.
Businesses must comply with the CCPA if they are managing the personal data of California residents. Thus, website owners must know the location of their website users. This could be done using a geo-targeting function. Using geo-targeting, businesses can set up different cookie banners with different settings for different locations. Different banners will not conflict with each other and the proper script will be taken for each location. Different cookie banners and different privacy notices will be delivered to consumers based on their geographic locations. Website visitors will see only that banner, which is needed for that particular US state.
Read more about the CCPA.