The California Consumer Privacy Act (CCPA) is a consumer-directed law that empowers California consumers to learn how a business stores, retains and uses their personal information (PI). The CCPA gives consumers certain rights about the personal information that businesses collect about them. Businesses will need to be transparent with consumers about the personal information they collect and how they use it.

The CCPA went into effect on Jan. 1, 2020. Many companies are still grappling with the details of the law, the amendments, the proposed regulations, and how to comply.

Now is the time to determine whether the CCPA applies to your company, and if it does, take measures to comply with its requirements.

Who Does CCPA Apply?

The CCPA applies to California residents. The CCPA applies to for-profit businesses that do business in California (not just business who reside in California) and meet any of the following three criteria:

1. annual gross revenue in excess of $25 million;
2. annual purchases, receipt or sales of the PI of 50,000 or more California residents; or
3. companies that derive 50 percent or more of annual revenue from selling consumers’ PI.

What is Exempt from the CCPA?

If the personal information is already regulated by another federal law such as HIPAA or GLBA, or a state law such as California’s Confidentiality of Medical Information Act, then it is outside the scope of the CCPA.

Nonprofit entities are exempt from the CCPA.

Rights of Consumers Regarding Their Personal Information

• The right to ask companies to identify the categories of personal information they collected on the consumer and whether a business is collecting or selling/disclosing their personal information.
• The right to demand that personal data not be sold or shared for business purposes.
• The right to sue companies that violate the law or that experience data breaches.
• The right to access and download their personal information.
• The right to opt-out of the sale of their personal information.
• The right to request deletion of their personal information.
• The right not to be discriminated against.
• That a business may not sell children’s information (if the child is under age 13) without an affirmative opt-in from a parent or guardian. For children between the ages of 13-16, the child may provide that opt-in consent.

What Is Personal Information Under the CCPA?

CCPA defines “personal information” to include the following categories:

• Identifiers, such as name, address, IP address, email address, Social Security number, account name, driver’s license number, passport number or other similar identifiers.
• Characteristics of protected classifications, such as race, religion, sexual orientation.
• Commercial information, such as records of purchases or consuming tendencies.
• Biometric information.
• Internet or other electronic network activity, such as browsing or search history, website interaction.
• Geolocation data.
• Professional or employment-related info.
• Education data.

Source: Society for Human Resource Management