The California Consumer Privacy Act (CCPA) is a privacy law that was enacted in the state of California, United States, and came into effect on January 1, 2020. The primary objective of CCPA is to enhance consumer privacy rights and provide Californian residents with greater control over their personal information. The law applies to businesses that collect and process personal data of California residents, regardless of where the business is located, as long as they meet certain criteria related to revenue, data processing, or interaction with California consumers.
CCPA grants Californian consumers several rights regarding their personal data. These include the right to know what personal information is being collected, the right to request deletion of their data, the right to opt-out of the sale of their data, and the right to non-discrimination for exercising their privacy rights. Businesses covered by CCPA are required to provide clear and accessible privacy notices to consumers, disclose the categories of personal information collected, and establish mechanisms for consumer requests and data breaches.
Non-compliance with CCPA can result in significant financial penalties. The California Attorney General can enforce penalties of up to $7,500 per intentional violation and $2,500 per unintentional violation. Additionally, consumers have a private right of action in case of certain data breaches, which can result in damages ranging from $100 to $750 per incident, or actual damages if they are greater. These potential fines and legal liabilities emphasize the importance of CCPA compliance for businesses operating within California or collecting data from California residents.
CCPA also has implications for global companies that handle personal data of Californian residents. Organizations that fall under the scope of CCPA must ensure compliance with the law's requirements, even if they are based outside of California or the United States. This means implementing mechanisms to handle consumer requests, providing privacy disclosures, and respecting consumers' opt-out preferences regarding the sale of their data. Global companies may need to review their data processing practices, update their privacy policies, and establish procedures to handle CCPA-related obligations, such as verifying consumer identities and responding to data access or deletion requests.