What is the California Consumer Privacy Act and who does it apply to?

Smart phone with a symbol of a padlock on it

California Assembly Bill No. 375, also known as the California Consumer Privacy Act of 2018 (the “Act”), was approved and passed on June 28, 2018 and comes into force on January 1, 2020. Here we attempt to dissect the CCPA 2018 and help establish who actually is required to comply with the Act.

Who does the Act apply to?

The Act applies to any business, partnership, company, corporation or other legal entity (“business”) operating for profit that collects personal information from consumers in the State of California, but only if one of the following applies to the business:

  • It acquires 50% or more of annual revenue from selling consumer information
  • It has gross annual revenue of $25m or more
  • It sells personal information belonging to at least 100,000 consumers

If a business meets one or more of the provisions above, it must comply with the Act.

Why is CCPA 2018 needed?

In the United States, there are very few laws regarding data privacy that work to protect a consumer over a business. Typically, businesses control how they hold and use consumer information.

Following the General Data Protection Regulation (GDPR) coming into force in Europe, who controls individuals’ personal data is shifting on a global scale. In the US, California is the first state to pass regulations that are protective of the consumer. The campaign began with semi-retired real-estate developer, Alastair Mactaggart, who led and bankrolled a movement that demonstrated that California residents cared deeply about data privacy. The California legislature passed AB 375 on June 28, 2018.

How similar is CCPA to GDPR?

The General Data Protection Regulation (“GDPR”), is an European Union (“EU”) law that came into force on May 25, 2018. It applies to any business dealing with the personal data of EU citizens, wherever in the world that business is based.

It is important to be familiar with GDPR, but it is not the same as the California Consumer Privacy Act of 2018. Try out the quiz below. If you are familiar with GDPR, it should be a breeze. If not, don’t worry, just go with your gut answers.

The ten rights under CCPA

  • Right to know ALL data collected by a business about you, twice a year, free of charge
  • Right to say NO to the sale of your information
  • Right to DELETE the data which you have posted
  • Right to sue the business if your data was stolen or disclosed due to a data breach, and the business that collected it was negligent, (i.e. they did not encrypt or redact it)
  • Right not to be discriminated against if you tell a business not to sell your personal information
  • Right to be informed of what categories of data will be collected about you prior to its collection/at the point of collection, and to be informed of any changes to this collection
  • Mandatory opt-in before sale of information regarding children under the age of 16
  • Right to know the categories of third parties with whom your data is shared
  • Right to know the categories of sources of information from whom your data was acquired
  • Right to know the business or commercial purpose for collecting your information

What are the exceptions in the California Consumer Privacy Act?

While a consumer has the right to request that a business delete their personal information, a business is not required to comply with this instruction, if maintaining the personal information is necessary in order to:

  • Complete a transaction for which the personal information was collected or provide a good or service requested or reasonably anticipated by the consumer
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity
  • Debug to identify and repair errors that impair existing intended functionality
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech or exercise another right provided for by law
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest
  • Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business
  • Comply with a legal obligation
  • Use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information

VinciWorks’ data privacy training suite

Screenshot of data privacy interactive assessment

VinciWorks’ online data privacy training suite allows organizations to train their entire staff on data privacy. Our training suite includes an interactive data privacy course that covers the latest data privacy regulations in the US, a GDPR course specifically for US-based staff and a California Consumer Privacy Act course. All our training can be customized to include company and industry-specific procedures, policies and contact people. Further, our data protection reporting portals allow organizations to create, track and automate all data protection registers, such as data audits, data breaches and more.