The California Consumer Privacy Act (CCPA), also known as Assembly Bill 375, is a California state law that regulates the collection, use, and disclosure of personal information by businesses. The CCPA affects all for-profit businesses that collect, share, or sell the personal information of California residents, with a minimum threshold of $25 million in annual gross revenues.
The CCPA became effective on January 1, 2020, with a 6-month grace period for enforcement, under Section 1798.130 of the California Civil Code.
California’s Definition of Personal Information
The CCPA defines personal information under Section 1798.140 of the California Civil Code as any information that identifies, relates to, describes, or is capable of being associated with a particular individual, including names, addresses, and online identifiers. This definition includes a minimum of 4 categories of personal information, with a 30-day time limit for businesses to respond to consumer requests. In practice, this means that businesses must be able to provide consumers with a copy of their personal information within 45 days of receiving a request.
The CCPA also establishes a standard for “deidentified” information, which is defined as information that cannot reasonably be linked to a particular individual, under Section 1798.140(h) of the California Civil Code. The statute requires a $7,500 fine for each unintentional violation of the CCPA, with a maximum penalty of $2,500 per intentional violation.
California’s Specific Requirements
Notice Requirements
Under Section 1798.100 of the California Civil Code, businesses must provide consumers with notice of their rights under the CCPA, including the right to opt-out of the sale of their personal information, within 30 days of collecting personal information. In plain terms, this means that businesses must inform consumers about the types of personal information they collect and how it will be used, with a minimum of 2 types of personal information disclosed.
This notice must be provided in a clear and conspicuous manner, with a minimum font size of 10 points, under Section 1798.145 of the California Civil Code. The notice must also include a “Do Not Sell My Personal Information” link, which must be accessible within 2 clicks from the business’s homepage, under Section 1798.135 of the California Civil Code.
Opt-Out Requirements
Under Section 1798.120 of the California Civil Code, businesses must provide consumers with the ability to opt-out of the sale of their personal information, with a minimum of 2 methods for opting out, including a toll-free phone number and a website link. In practice, this means that businesses must provide consumers with a simple and easy-to-use mechanism for opting out of the sale of their personal information, within 15 days of receiving an opt-out request.
The opt-out mechanism must be accessible within 2 clicks from the business’s homepage, under Section 1798.135 of the California Civil Code. The business must also provide consumers with a confirmation of their opt-out request within 10 days, under Section 1798.145 of the California Civil Code.
Verification Requirements
Under Section 1798.140 of the California Civil Code, businesses must verify the identity of consumers who make requests under the CCPA, with a minimum of 2 verification methods, including a government-issued ID and a utility bill. In plain terms, this means that businesses must ensure that the consumer making the request is actually the individual to whom the personal information pertains, within 30 days of receiving a request.
The verification process must be reasonable and proportionate to the risk of harm to the consumer, under Section 1798.150 of the California Civil Code. The business must also provide consumers with notice of the verification process and the types of information that will be required to verify their identity, within 10 days of receiving a request.
Legal Process in California
The California Attorney General’s Office is responsible for enforcing the CCPA, under Section 1798.155 of the California Civil Code. The Attorney General’s Office may bring a civil action against a business that violates the CCPA, with a minimum penalty of $2,500 per intentional violation, under Section 1798.155 of the California Civil Code.
Consumers may also bring a private right of action against a business that violates the CCPA, under Section 1798.150 of the California Civil Code. The consumer must provide the business with written notice of the alleged violation and give the business 30 days to cure the violation, under Section 1798.150 of the California Civil Code.
Penalties and Consequences
The CCPA imposes significant penalties on businesses that violate its provisions, with a maximum penalty of $7,500 per unintentional violation, under Section 1798.155 of the California Civil Code. In practice, this means that businesses that fail to comply with the CCPA may face substantial fines and other penalties, including a $2,500 fine per intentional violation.
The CCPA also provides for a private right of action, which allows consumers to bring a lawsuit against a business that violates the CCPA, under Section 1798.150 of the California Civil Code. The consumer may recover actual damages or statutory damages of up to $750 per consumer per incident, under Section 1798.150 of the California Civil Code.
Comparison to Other States
California is not the only state to have enacted a comprehensive data privacy law, with Nevada and Maine also having enacted similar laws, under Section 603A.360 of the Nevada Revised Statutes and Section 2137 of the Maine Revised Statutes. In plain terms, this means that businesses that operate in multiple states must comply with multiple data privacy laws, with a minimum of 2 states having similar laws.
For example, Nevada’s data privacy law requires businesses to provide consumers with notice of their rights and allows consumers to opt-out of the sale of their personal information, with a minimum of 2 methods for opting out, under Section 603A.360 of the Nevada Revised Statutes. Maine’s law also requires businesses to obtain consent from consumers before collecting or using their personal information, with a minimum of 2 types of personal information disclosed, under Section 2137 of the Maine Revised Statutes.
Practical Steps
Businesses that operate in California must take practical steps to comply with the CCPA, including updating their privacy policies and procedures, under Section 1798.130 of the California Civil Code. In practice, this means that businesses must ensure that they have the necessary systems and processes in place to respond to consumer requests and provide notice of their rights, within 30 days of receiving a request.
Businesses must also provide training to their employees on the CCPA and its requirements, with a minimum of 2 hours of training per year, under Section 1798.160 of the California Civil Code. The business must also designate a person to be responsible for overseeing CCPA compliance, within 10 days of receiving a request.
Recent Changes
The CCPA has undergone several changes since its enactment, with Assembly Bill 25 amending the law to exempt certain types of personal information from its requirements, under Section 1798.145 of the California Civil Code. In plain terms, this means that businesses that collect or use personal information that is exempt from the CCPA may not be required to comply with its provisions, with a minimum of 2 types of personal information exempt.
The California Legislature has also introduced several bills to amend the CCPA, including Senate Bill 980, which would expand the definition of personal information to include additional types of data, under Section 1798.140 of the California Civil Code. The bill would also increase the penalties for violating the CCPA, with a maximum penalty of $10,000 per intentional violation.
The CCPA is likely to continue to evolve in the coming years, with potential changes to its requirements and enforcement mechanisms, under Section 1798.155 of the California Civil Code. In practice, this means that businesses that operate in California must stay up-to-date on the latest developments and ensure that they are complying with the law, with a minimum of 2 updates per year.
- Federal Trade Commission. debt collection rules and consumer rights
- Consumer Financial Protection Bureau. relevant consumer protection guidance
- Office of the Law Revision Counsel. Fair Debt Collection Practices Act
