Ch. 6 - California Consumer Privacy Act
Consumer
A natural person who is a California resident.
Initial Notice
A notice at or before the point of collection that informs consumers regarding the categories of personal information collected and the purposes of their use.
"Right to Opt-out" Notice
A notice that provides a clear and conspicuous link to a homepage that says "Do Not Sell My Personal Information."
Website Notice
An online privacy notice that describes the rights consumers may exercise under the CCPA. It must disclose the categories of personal information collected, categories of the information sold, and categories of information disclosed. Must be updated once every 12 months.
Business
Any legal entity organized or operated for the profit or financial benefit of its shareholder or other owners which alone, or jointly with others, determines the purposes and means of processing consumers' personal information. Must do business in California and meet one of the following requirements: annual gross revenue > $25 million, 50,000 or more consumers, receives 50% or more annual revenue from sale of consumers' PI.
Inferences
Creating profiles from personal information which reflect preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes of the consumer.
California State Attorney General
Enforces CCPA. Civil penalties range from $2,500 to $7,500.
Sale of Personal Information
Includes any disclosure of personal information to another business or third party in exchange for value of any kind, monetary or otherwise.
Deidentified information
Information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
Personal Information
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Breach
Must consist of 1) an unauthorized access and exfiltration, theft, or disclosure of the consumer's personal information resulting and 2) the business's failure to implement and maintain reasonable security procedures and practices. Must play damages between $100 and $750 per incident.
10 Types of Personal Information
Personal Identifiers, Protected classifications under California or federal law, Commercial information, Biometric information, Internet and network activity, Geolocation information, Sensory information, Professional or employment information, Non-Public education information, and Inferences.
Individual Rights Concerning Personal Information
Right to request disclosure of business' data collection and sales practices, right to request specific personal information collected, right to have certain information deleted, right to request that personal information not be sold to third parties, and the right not to be discriminated against because of exercising these rights.