The California Consumer Privacy Act (CCPA) is one of the most comprehensive data privacy laws in the US. It grants California consumers more control over their personal information, allowing them to understand how their data is being used, and to request that their data be deleted or not sold to third parties.
The law applies to for-profit entities that do business in California and either have gross annual revenues more than $25 million; buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or derive 50% or more of their annual revenues from selling California residents’ personal information.
Key regulatory requirements
- Consumers can request details about the specific personal information a business has collected about them.
- Consumers can ask businesses to delete their personal information.
- Consumers can instruct businesses that sell their personal information to third parties to stop doing so.
- Businesses cannot discriminate against consumers for exercising their rights under the CCPA, such as charging different prices or providing a different level of service.
CCPA is enforced by the California Attorney General. Violations that are not resolved within 30 days of notice can result in civil penalties of up to $2,500 per violation and up to $7,500 per intentional violation. In cases of data breaches, consumers can recover damages of between $100 to $750 per consumer, per incident, or actual damages (whichever is greater).
