Image via istockphoto
Eric Gockel

Written by Eric Gockel


Just when you thought had GDPR all sorted out, along comes another privacy initiative, the California Consumer Privacy Act (CCPA). This new act becomes effective on January 1, 2020.

What does the California Consumer Privacy Act do?

The California Consumer Privacy Act (CCPA) is America’s first privacy law intended to enhance consumer protection and the privacy rights of California residents.

The obvious first question is, does the CCPA apply to my business?

Your business is subject to the CCPA if any one of the following are true:

  • 50% or more of your annual revenues are from selling consumers’ personal information.
  • Sells, buys or receives personal information of 50,000 or more consumers, devices or households. Additional record-keeping obligations apply if you buy, collect or sell personal information of more than 4 million consumers.
  • Gross annual revenues in excess of $25 million.

If your company doesn’t fix violations within 30 days of being notified, it can be fined up to $7,500 for each intentional violation. It is up to the California’s Attorney General to enforce and can’t until six months after the law takes effect.

Also, in the event your company gets hacked, individual consumers can sue for $100 or up to $750. (There is a 30-day notice provision for companies to fix the issue and notify consumers in writing) 

If none of the above describe your business, you’re probably safe to return to your social media. If any do apply, read on…

Does the CCPA only apply to California?

Basically, yes. The CCPA is a California state law that applies to companies that do business there. However, the data privacy law covers merchants that are out-of-state that may sell to people in California. Most likely, companies will apply the CCPA for all states instead of creating separate systems.

What are my obligations as a business?

  • If you are subject to the CCPA (see above), you must provide notice at or before data collection to consumers.
  • Your business must create procedures to respond to consumers that wish to delete, know or opt-out. At least two methods should be provided, such as a toll-free telephone number and a web page. Your privacy policy should also explain the process.
  • A “Do Not Sell My Info” link should be on your mobile app or website to handle opt-out requests. This link should also be visible in the footer of your homepage.
  • Businesses must verify the identity of consumers making requests to delete and know, regardless if the consumer has a secure login with the business.
  • Businesses must respond with specific timeframes to consumer requests to delete, know or opt-out.

These new rights for California consumers include:

  • The right to opt-out of the sale of personal information. Consumers can direct a business to stop selling personal information if it is doing so. Children under the age of 16 must provide opt-in consent and children under 13 need parental or guardian consent.
  • The right to delete personal information held by businesses as well the business’s service providers.
  • The right to know what specific personal information is being collected, shared, sold or used.

Pillsbury Winthrop Shaw Pittman has a good post about what should be in your updated privacy policy for CCPA.

Disclaimer: This content is not intended as legal advice and is only supplied for informative purposes only.