California Consumer Privacy Act

Last updated
California Consumer Privacy Act
Seal of California.svg
California State Legislature
Full nameCalifornia Consumer Privacy Act of 2018 [1]
IntroducedJanuary 3, 2018
Signed into lawJune 28, 2018
Governor Jerry Brown
Code California Civil Code
Section1798.100
ResolutionAB-375 (2017–2018 Session)
Website Assembly Bill No. 375
Status: Current legislation

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The bill was passed by the California State Legislature and signed into law by the Governor of California, Jerry Brown, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. [2] Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg. [3] [4]

Contents

Amendments to the CCPA, in the form of Senate Bill 1121, were passed on September 13, 2018. [5] [6] Additional substantive amendments were signed into law on October 11, 2019. [7] The CCPA became effective on January 1, 2020. [8] In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act, which amends and expands the CCPA. [9]

Intentions of the Act

The intentions of the Act are to provide California residents with the right to:

  1. Know what personal data is being collected about them.
  2. Know whether their personal data is sold or disclosed and to whom.
  3. Say no to the sale of personal data.
  4. Access their personal data.
  5. Request a business to delete any personal information about a consumer collected from that consumer. [10]
  6. Not be discriminated against for exercising their privacy rights.

Compliance

The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, does business in California, and satisfies at least one of the following thresholds:

Organizations are required to "implement and maintain reasonable security procedures and practices" in protecting consumer data. [13]

The businesses that the CCPA refers to do not need to be physically present in California. As long as the business is active in the state and meets the requirements, they are considered to be under the CCPA. This includes transactions done on the Internet. In comparison to other privacy laws like the GDPR, the CCPA lacks clarity about its geographic range. [14]

Responsibility and accountability

Sanctions and remedies

The following sanctions and remedies can be imposed:

The CCPA differs from the Virginia Consumer Data Protection Act in that the former provides a private right of action, whereas the latter is enforced by the Attorney General's office. [21]

Definition of personal data

CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, license plate number, passport number, or other similar identifiers. [2]

An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. [22]

It does not consider Publicly Available Information as personal. [23]

Key differences between CCPA and the European Union's General Data Protection Regulation (GDPR) include the scope and territorial reach of each, definitions related to protected information, levels of specificity, and an opt-out right for sales of personal information. [24] CCPA differs in definition of personal information from GDPR as in some cases the CCPA only considers data that was provided by a consumer. The GDPR does not make that distinction and covers all personal data regardless of source. In the event of sensitive personal information, this does not apply if the information was manifestly made public by the data subject themselves, following the exception under Art.9(2),e). As such, the definition in GDPR is much broader than defined in the CCPA. [25] [26] [27]

Personal data can also include online or social media profile information. Personal data is not limited to a number or a physical document but can also be online identities, accounts, and other personal information.

History

The California Consumer Privacy Act of 2018 was originally proposed as a ballot proposition by a privacy group known as Californians for Consumer Privacy. [28] The California DOJ approved the initiative's official language on December 18, 2017, allowing the group to begin collecting signatures. [29] In June 2018, the proponents gathered enough signatures to qualify the CCPA initiative for the November 2018 election. [30] In California, the state legislature cannot repeal or amend a ballot proposition once it is passed by voters. [31] In response to the CCPA ballot proposition, state legislators negotiated with Californians for Consumer Privacy to pass a less restrictive version of the CCPA in exchange for the withdrawal of the ballot proposition. [32]

The CCPA was passed by the state legislature and signed by Gov. Brown on June 28, 2018; it became effective on January 1, 2020. [33] [34] The act's effect was dependent upon the withdrawal of initiative 17–0039, the Consumer Right to Privacy Act. [35] Five amendments were enacted and signed by Gov. Newsom on October 11, 2019. [36] Notice of DOJ's proposed regulations was also published October 11 in the Z Register; As of January 10,2020 the OAL had not yet filed the final regulations with the Secretary of State, as required for the regulations to become effective. [36] [37]

The California Privacy Rights Act of 2020 proposed several changes to the CCPA. [38] The Act, also known as 2020 California Proposition 24, expands existing data privacy laws by allowing consumers greater control of their personal data and establishing the California Privacy Protection Agency. [39] It passed, with a majority of voters approving the measure. [40]

Exemptions

A big area of the CCPA exemption is the personal health information (PHI) that is gathered. [41] Rather than the data being treated with the CCPA guidelines in mind, it is expected for PHI to adhere to the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. [41] If the business collecting the data is related to clinical trials, then it must adhere to the "Common Rule". [42]

As for the information that is gathered by financial institutions, the institutions follow the California Financial Information Privacy act or the Gramm-Leach-Bliley Act depending on the situation. [41] [43]

See also

Related Research Articles

Consumer privacy is information privacy as it relates to the consumers of products and services.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 185 national constitutions mention the right to privacy. On December 10, 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR); while the right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."

<span class="mw-page-title-main">Privacy laws of the United States</span>

Privacy laws of the United States deal with several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into their private affairs, discloses their private information, publicizes them in a false light, or appropriates their name for personal gain.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

California S.B. 1386 was a bill passed by the California legislature that amended the California law regulating the privacy of personal information: civil codes 1798.29, 1798.82 and 1798.84. This was an early example of many future U.S. and international security breach notification laws, it was introduced by California State Senator Steve Peace on February 12, 2002, and became operative July 1, 2003.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.

<span class="mw-page-title-main">California Health and Safety Code</span> U.S. state law

The California Health and Safety Code is the codification of general statutory law covering the subject areas of health and safety in the state of California. It is one of the 29 California Codes and was originally signed into law by the Governor of California on April 7, 1939.

The California Online Privacy Protection Act of 2003 (CalOPPA), effective as of July 1, 2004 and amended in 2013, is the first state law in the United States requiring commercial websites on the World Wide Web and online services to include a privacy policy on their website. According to this California State Law, under the Business and Professions Code, Division 8 Special Business Regulations, Chapter 22 Internet Privacy Requirements, operators of commercial websites that collect Personally Identifiable Information (PII) from California's residents are required to conspicuously post and comply with a privacy policy that meets specific requirements. A website operator who fails to post their privacy policy within 30 days after being notified about noncompliance will be deemed in violation. PII includes information such as name, street address, email address, telephone number, date of birth, Social Security number, or other details about a person that could allow a consumer to be contacted physically or online.

<span class="mw-page-title-main">LGBTQ rights in California</span>

California is seen as one of the most liberal states in the U.S. in regard to lesbian, gay, bisexual, transgender, and queer (LGBTQ) rights, which have received nationwide recognition since the 1970s. Same-sex sexual activity has been legal in the state since 1976. Discrimination protections regarding sexual orientation and gender identity or expression were adopted statewide in 2003. Transgender people are also permitted to change their legal gender on official documents without any medical interventions, and mental health providers are prohibited from engaging in conversion therapy on minors.

Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

<span class="mw-page-title-main">Ed Chau</span> American judge

Edwin “Ed” Chau is an American jurist and politician who served in the California State Assembly as a Democrat representing the 49th state assembly District from 2012 to 2021. On November 29, 2021, California Governor Gavin Newsom appointed Chau to be a judge in the Los Angeles County Superior Court.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

Genetic privacy involves the concept of personal privacy concerning the storing, repurposing, provision to third parties, and displaying of information pertaining to one's genetic information. This concept also encompasses privacy regarding the ability to identify specific individuals by their genetic sequence, and the potential to gain information on specific characteristics about that person via portions of their genetic information, such as their propensity for specific diseases or their immediate or distant ancestry.

<span class="mw-page-title-main">2020 California elections</span>

The California state elections in 2020 were held on Tuesday, November 3, 2020. Unlike previous election cycles, the primary elections were held on Super Tuesday, March 3, 2020.

<span class="mw-page-title-main">Dark pattern</span> Deceptive user interface designs

A dark pattern is "a user interface that has been carefully crafted to trick users into doing things, such as buying overpriced insurance with their purchase or signing up for recurring bills". User experience designer Harry Brignull coined the neologism on 28 July 2010 with the registration of darkpatterns.org, a "pattern library with the specific goal of naming and shaming deceptive user interfaces". In 2023 he released the book Deceptive Patterns.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

<span class="mw-page-title-main">California Privacy Rights Act</span> Privacy and data protection law in California, U.S.

The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020. This proposition expands California's consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations.

References

  1. "AB-375, Chau. Privacy: personal information: businesses". California State Legislature . Retrieved 19 November 2018.
  2. 1 2 The California Consumer Privacy Act of 2018.
  3. 1 2 Lapowsky, Issie (June 28, 2018). "California Unanimously Passes Historic Privacy Bill". Wired. Retrieved September 17, 2019.
  4. "Bill Text - AB-375 Privacy: personal information: businesses". Leginfo.legislature.ca.gov. Retrieved 27 November 2018.
  5. 1 2 3 4 "Bill Text - SB-1121 California Consumer Privacy Act of 2018". leginfo.legislature.ca.gov. Retrieved 2019-01-30.
  6. "How the new California data privacy act could impact all organizations". Information Management. Archived from the original on 2019-01-31. Retrieved 2019-01-30.
  7. "Governor Newsom Issues Legislative Update 10.11.19". 12 October 2019. Retrieved 2019-11-08.
  8. "2019 is the Year of . . . CCPA? [Infographic]". The National Law Review. January 8, 2019. Retrieved 2019-01-30.
  9. "Move Over, CCPA: The California Privacy Rights Act Gets the Spotlight Now". news.bloomberglaw.com. Retrieved 2020-12-10.
  10. Senate Bill No. 1120, Chapter 735, Sec.2, 1798.105
  11. "California Consumer Privacy Act (CCPA) Fact Sheet" (PDF). State of California - Department of Justice - Office of the Attorney General. Retrieved 2020-03-25.
  12. "CCPA Guide: Are You Covered by the CCPA". JD Supra. Retrieved 2019-01-30.
  13. "TITLE 1.81.5. California Consumer Privacy Act of 2018 - CA Legislative Information".
  14. Illman, Erin; Temple, Paul (Winter 2020). "California Consumer Privacy Act: What Companies Need to Know". The Business Lawyer. 75 (1): 1637–1646. ProQuest   2350105509.
  15. "Control Your Personal Information | CA Consumer Privacy Act". caprivacy.org. Archived from the original on 2019-01-31. Retrieved 2019-01-30.
  16. Valetk, Harry A.; Hengesbaugh, Brian (December 18, 2018). "A Practical Guide to CCPA Readiness: Implementing Calif.'s New Privacy Law (Part 2)". Corporate Counsel. Retrieved 2019-01-30.
  17. "Today's Law As Amended". leginfo.legislature.ca.gov. Retrieved 2019-01-30.
  18. Captain, Sean (2018-07-02). "Here are 5 key details in California's new privacy law". Fast Company. Retrieved 2019-01-30.
  19. "Federal accessibility laws don't matter — California's accessibility laws do". Medium.com. Retrieved 12 November 2018.
  20. "How does the California Consumer Privacy Act apply to Australian businesses?". www.gladwinlegal.com.au. 12 August 2020. Retrieved 24 August 2020.
  21. Rippy, Sarah (March 3, 2021). "Virginia passes the Consumer Data Protection Act". International Association of Privacy Professionals . Retrieved March 8, 2023.
  22. TITLE 1.81. CUSTOMER RECORDS[1798.80 - 1798.84] (Law DIVISION 3. OBLIGATIONS [1427 - 3273] e). California State Legislature. January 1, 2010.PD-icon.svg This article incorporates text from this source, which is in the public domain .
  23. Privacy: personal information: businesses (Assembly Bill 1798.140/(o)(2)). California State Legislature. June 28, 2018.
  24. "How to Prepare for the CCPA – Here Are the Resources You Need". CGOC The Council. 2019-10-06. Archived from the original on 2019-10-09. Retrieved 2019-10-15.
  25. Fielding, John (Feb 4, 2019). "Four differences between the GDPR and the CCPA". HelpNet Security.
  26. "How to Prepare for the CCPA – Here Are the Resources You Need". CGOC. 2019-10-08. Archived from the original on 2019-10-09. Retrieved 2019-10-08.
  27. Skiera, Bernd; Miller, Klaus, M.; Jin, Yuxi (2022). The Impact of the General Data Protection Regulation (GDPR) on the Online Advertising Market. La Vergne: Bernd Skiera. p. [ page needed ]. ISBN   978-3-9824173-3-2. OCLC   1301513718.{{cite book}}: CS1 maint: multiple names: authors list (link)
  28. Wakabayashi, Daisuke (14 May 2018). "Silicon Valley Faces Regulatory Fight on Its Home Turf". The New York Times .
  29. "Proposed Initiative Enters Circulation: Establishes New Consumer Privacy Rights; Expands Liability For Consumer Data Breaches" (Press release). California Secretary of State. 18 December 2017.
  30. "The California Privacy Rights Act Has Passed: What's in It?". JD Supra. Retrieved 2020-12-10.
  31. "Laws governing the initiative process in California". Ballotpedia. Retrieved 2020-12-10.
  32. "California lawmakers agree to new consumer privacy rules that would avert showdown on the November ballot". Los Angeles Times. 2018-06-22. Retrieved 2020-12-10.
  33. "California Unanimously Passes Historic Privacy Bill". Wired. ISSN   1059-1028 . Retrieved 2020-12-10.
  34. Stephens, John (2 July 2019). "California Consumer Privacy Act". Business and Corporate Litigation Committee Newsletter. American Bar Association.
  35. Cohen, Rodgin; Evangelakos, John; Mousavi, Nader; Schwartz, Matthew; Friedlander, Nicole (23 July 2018). "Sullivan & Cromwell Discusses California Consumer Privacy Act of 2018". CLS Blue Sky Blog. Columbia Law School.
  36. 1 2 Das, Anjali; Ferrari, Stefanie (3 December 2019). "California Consumer Privacy Act Effective January 1: Update". The National Law Review.
  37. Hutnik, Alysa Zeltzer; Townley, Katie; Khouryanna, DiPrima (23 October 2019). "CCPA Draft Regulations: What to Know About Timing and Process". Ad Law Access.
  38. "California Proposition 24, Consumer Personal Information Law and Agency Initiative (2020)". Ballotpedia. Retrieved 2020-10-25.
  39. "Text of Proposed Laws - Proposition 24" (PDF). California Secretary of State. Archived (PDF) from the original on 2020-10-18.
  40. Hooks, Chris Nichols, Kris. "What We Know About California Proposition Results". www.capradio.org. Retrieved 2020-12-08.{{cite web}}: CS1 maint: multiple names: authors list (link)
  41. 1 2 3 "California Consumer Privacy Act FAQs for Covered Businesses". Jackson Lewis. 2019-10-10. Retrieved 2020-11-11.
  42. "The California Consumer Privacy Act" (PDF).
  43. "Codes Display Text". leginfo.legislature.ca.gov. Retrieved 2020-11-11.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.