California Consumer Protection Act CCPA
Sale under CCPA
Under the CCPA, the sale of personal information includes any disclosure of personal information "to another business or third party" in exchange for value of any kind monetary or otherwise. May be sale even if no money exchanged
CCPA exemptions
business not doing business in CA Nonprofit organizations Entities which do not determine the purpose or means oof processing consumer personal info
CCPA covered business
for-profit with one or more of the following: Does more than $25 million annual revenue Hold the personal info of 50,000 people, households or devices Makes At least 50% of revenue form Personal information sales
CCPA protected individuals
Consumer natural person who is a CA resident and who is In the state for other than a temporary or transitory purpose Domiciled in the state who is outside the state for a temporary or transitory purpose
Business Obligations
Have a verification process so consumers can prove their identity when attempting to exercise their rights Respond to consumer request for access to (PI, deletion of PI, Etc.) free of charge within 45 days Disclose to consumers the categories of third parties to which the business sells shares of PI Provide methods for consumers to make request to know and requests to delete including a website (if one exists) and a toll free number Include conspicuous "Do not Sell My Personal Information" link on website Provide consumer certain disclosures like categories of PL collected, collection purpose(s), consumer rights and privacy policy Train certain employees on consumer rights under the law Cannot discriminate against consumer who exercise their rights under law
CCPA (California Consumer Privacy Act)
Provides a comprehensive regime for data privacy rights for California state residents
CCPA Consumer Rights
Request a record of types pf PI, sources of PI, specific PI that has been collected, what PI has been collected, and information about what's being done with the related data in terms of both business use and third party sharing Have a right to erasure (the deletion of PI) with exceptions for completion of a transaction Exceptions include PI needed to complete a transaction, research, free speech, and some internal analytical use Consumers have the option to opt out having their data sold to third parties
CCPA enforcement
The CCPA will be enforced by the state attorney general. Failure to address an alleged violation within 30 days could lead to a 7,500 fine per violation The law also introduces a private right of action, granting consumers the ability to sue for 100-750 per violation for further actual damages The private right of action is only available in cases of data breach, not for all violations of the law
Notice CCPA
The CPPA requires that business provide notice to consumer in a number of provisions Initial Notice: inform consumers Website notice: disclose category Right to opt out Notice: do not sell