The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents (“Consumers”). It is a law that gives consumers more control over the personal information that businesses collect about them.
In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.
The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to Jan. 2022.
Who does it apply to?
The CCPA will apply to for-profit businesses that collect and control California residents’ (“Consumers”) PI, do business in the state of California, and meet at least one of the below conditions.
CCPA Specific Definitions
While not all “collectors” are “sellers,” a seller is most likely a collector.
Consumer Rights
Right to Know/Access – Right to access specific pieces of personal information the business has collected from consumers and the categories set forth (twice annually, free of charge)
Right to Deletion – Right to request the business to delete any personal information collected of Consumer. The CPRA also requires businesses to send the request to delete to third parties so that all parties are aware that it must be deleted, subject to some exceptions.
Right to Opt-in and Opt-out – Right to opt-out (i.e. stop selling) of the sale of personal information to third parties and business provide a mandated opt-in for the sale of children’s personal information under the age of 16. Opt-out request can be submitted through “Do Not Sell My Personal Information” button on the homepage of organization’s website.
Right to Opt-in: The CPRA expands this right to include sharing of minor consumer’s personal information as an additional basis requiring affirmative authorization (“opt-in”). The CPRA states that an organization cannot sell or share the personal information of a consumer who is less than 16 years old (“minor”) unless the business has received “opt-in” consent i.e., affirmative authorization for the sale or sharing of that information.
Right to Opt-out: The CPRA expands this right to include sharing of personal information about the consumer to third parties as well. Additionally, the CPRA provides consumers access and opt-out rights with respect to the processing of their personal information that is based on automated decision making, including profiling.
Right to Non-discrimination (also called “Right to Equal Services”) – Right to receive equal services and pricing from business even after consumer exercises their privacy rights.umer Rights
Rights to Disclosure – Right to request business that sell personal information provide information related to specific aspects of the business data practices. The CPRA expands this right to include sharing of personal information as an additional basis for disclosure of the information specified under the CCPA to the consumer upon receipt of a verifiable consumer request.
Exceptions to the opt-out right –
Rights to Rectification – A consumer has the right to request an organization that maintains inaccurate personal information about the consumer to correct that information, taking into account the nature and purposes of the processing of the information.
Rights to Limit Use and Disclosure of Sensitive Personal Information – Consumers have the right to restrict the usage of their sensitive personal information collected. The business must also ensure the user has easily visible access to a link on every webpage that makes the invocation of this right more convenient. This must be done by having a prominent “Limit the Use of My Sensitive Personal Information (SPI)” link on their homepage. SPI is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals: a consumer’s social security, driver’s license, state identification card, or passport number, account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, etc.
Under “Right of Know/Access”, a Consumer may request that business disclose the below:
Additionally, CCPA also provides consumers with a private right of action and statutory damages, if certain unencrypted and unredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure (refer subsequent slides).
How can Socium Security help?
Socium Security can help companies design security programs to meet the CCPA requirements and provide virtual DPO services to manage the ongoing operational aspects of the requirements.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |