CCPA – California Consumer Privacy Act – Obligations and rights under the new California Data Protection Act
California takes a stand on digital consumer data protection. In order to ensure the privacy rights of digital consumers, users may demand to know what information is collected and how it is used and sold
California is the first state within the United States to generate a data protection law to prevent the marketing of personal consumer information without your authorization. It went into effect in early 2020. The Act provides for the protection of consumer data by technology companies that collect information. This law gives any digital user the right to demand protection of their data, such as not being sold, and to know why the information is being collected.
These are the points of the California Consumer Privacy Act (CCPA) that consumers and businesses must know.
Consumer Rights | CCPA
Its goal of ensuring new privacy rights for California’s digital consumers. These include knowing what information is collected, how your personal information is used, shared, or sold.
You also have the right to ask for the removal of personal information held by companies or business service providers, or to decide about the sale of these. For information from children under 13, you must be authorized by a parent or guardian. Consumers may not be discriminated against on the basis of price or service when exercising their right to privacy under the CCPA.
Obligations of Companies Subject to the CCPA
Companies whose gross annual revenues exceed $25 million and receive personal information from 50,000 or more consumers, as well as companies that obtain 50% or more of their annual revenues from the sale of personal information from consumers, will be subject to the new law. The law will give additional obligations to companies that manage the personal information of more than 4 million consumers.
They will notify their consumers of the data collected by the company and generate procedures to respond to consumers about their request to opt-out, learn and delete personal information, so they must also provide a “do not sell my information” link on their website or mobile application.
They will be required to respond to consumer requests to learn, delete and opt-out within a specified time period and will have the privacy settings enabled or the user’s personal data opt-out.
For each request they receive regarding the handling of personal data, companies will be obliged to verify the identity of consumers in order to make requests and may deny the request if they cannot corroborate the person’s identity.
When a business uses personal information, it must disclose the financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they estimate the value of the personal information.
The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are separate legal frameworks with different scopes, definitions and requirements. A company that complies with the GDPR and is subject to CCPA may have additional obligations under CCPA. To see both legal frameworks compared click here.
According to estimates in the Standardized Regulatory Impact Assessment, the CCPA will protect over $12 billion in personal information used for advertising in California each year. In the first six months there will be a grace period for companies to reach a balance. Fines of up to $7,500 are expected for each violation. With the entry into force of data protection obligations and rights, the rules of the game will change in the US market and will probably be copied by other countries around the world.