Does the California Consumer Privacy Act Apply to Your Business?
The California Consumer Privacy Act (CCPA) grants consumers the right to:
- Ask businesses whether they are collecting or selling their personal information.
- Ask businesses to identify the categories of personal information they collect.
- Access and download the personal information businesses collect on them.
- Opt out of the sale of their personal information.
- Demand their personal information not be shared for business purposes.
- Request the deletion of their personal information.
- Sue businesses that experience data breaches or otherwise violate the law.
However, consumers do not enjoy these rights during their interactions with every business in the state of California. The CCPA only applies to certain companies.
What Businesses Does the CCPA Apply To?
The CCPA applies to for-profit organizations that do business in California and meet any of the following:
- Have annual gross revenues in excess of $25 million;
- Buy, sell, or receive the personal information of more than 50,000 California residents, households, or devices; or
- Derive more than half of their annual revenue from the sale of California residents’ personal information.
The CCPA doesn’t apply to organizations that operate “wholly outside” of California. It also does not apply to aggregated or de-identified personal information.
Additionally, the CCPA exempts data that is already covered under another state or federal law, such as:
- The Health Insurance Portability and Accountability Act (HIPAA);
- The Confidentiality of Medical Information Act (CMIA); or
- The Gramm-Leach-Bliley Act (GLBA)
Nonprofit organizations and government agencies that operate in California are exempt from the CCPA.
California Consumer Privacy Act Compliance
To comply with their obligations under the CCPA, businesses must:
- Have a process by which they can receive consumer requests.
- Provide California consumers with the information to which they are legally entitled promptly and without charge.
- Add a “Do Not Sell My Personal Information” button to their website that allows consumers to opt out of the sale of their data.
- Implement a process by which consumers may delete their personal information.
- Implement reasonable security measures to protect consumers’ personal information.
- Provide their employees with training to ensure requests are handled in accordance with the law.
Additionally, businesses in California cannot discriminate against consumers who choose to exercise their rights under the CCPA.
Organizations that experience data breaches as a result of their failure to comply with the CCPA may face lawsuits. The act grants consumers the right to seek up to $750 in statutory damages per incident.
The Attorney General can also impose penalties of up to $7,500 for intentional violations of the CCPA.
Your Knowledgeable California Compliance Lawyer
To set up a consultation with a member of our team, just give us a call at (619) 535-1811 or fill in our short online contact form. We look forward to hearing from you!