CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (Proposition 24), grants California residents enhanced rights over their personal data and places new obligations on businesses. This law, one of the most comprehensive U.S. privacy laws to date, gives consumers the right to know what personal information is collected, request its deletion, correct inaccuracies, and opt-out of its sale or sharing.
The CPRA, approved by voters in 2020 and effective in 2023, also created the California Privacy Protection Agency (CPPA) to enforce the law and added a right to limit the use of “sensitive personal information”.
Legal advice can help businesses, local jurisdictions and other entities ensure compliance with the California Consumer Privacy Act and help residents protect their rights.
Who is Covered by the CCPA?
The California Consumer Privacy Act applies to for-profit businesses operating in California that meet certain thresholds, such as having over $25 million in annual revenue or handling the data of a significant number of consumers or households.
Consumer Rights
California consumers have several rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to request deletion of this information, and the right to opt-out of the sale or sharing of their personal information. Consumers also have the right to correct inaccurate information and to direct businesses to limit the use and disclosure of sensitive personal information. Businesses are prohibited from discriminating against consumers for exercising these rights.
Key Consumer rights under the CCPA/CPRA
Right to Know: Consumers can request information about the personal data a business collects, uses, shares, and sells.
Right to Delete: Consumers can request that a business delete the personal information it has collected about them. The ability to delete personal information has also been significantly strengthened by the recent California Delete Act, providing state residents with the ability to demand the deletion of their personal information from data brokers through a single, streamlined request.
Right to Correct: Consumers have the right to request that a business correct inaccurate personal information.
Right to Opt-Out:
Sale/Sharing: Consumers can opt out of the sale or sharing of their personal information.
Sensitive Information: Consumers can limit the use and disclosure of sensitive personal information, such as social security numbers or precise geolocation, to only what is necessary to provide the requested service.
Right to Non-Discrimination: Businesses cannot discriminate against consumers for exercising their privacy rights.
Business Obligations
Covered businesses must comply with the requirements of the California Consumer Privacy Act such as providing clear data collection notices, offering methods for consumers to submit requests, and implementing reasonable security measures to protect consumer data.
Key Business obligations under the CCPA/CPRA
Transparency: Businesses must inform consumers about data collection practices, including the categories of personal information collected and the purposes for which it will be used.
Security: Businesses must implement and maintain reasonable security procedures and practices to protect personal information.
Consumer Request Handling: Businesses must have systems in place to respond to consumer requests to know, delete, or correct their information.
Sensitive Data: Businesses have stricter obligations regarding the use and sharing of sensitive personal information.
Child Protection: Fines are tripled for violations involving children’s data, and specific opt-in consent rules apply for children under 16.
Data Broker Registration: Pursuant to the recent California Delete Act, data brokers must register with the California Privacy Protection Agency annually in January, and pay a fee that funds the Data Broker Registry and the Delete Request and Opt-Out Platform. Beginning August 1, 2026, registered data brokers must access the DROP system at least every 45 days to retrieve and process all new deletion requests.
Enforcement and Penalties
Enforcement of the California Consumer Privacy Act is handled by the California Attorney General and the California Privacy Protection Agency (CPPA). The CPPA is responsible for implementing and enforcing the CCPA, as amended by the CPRA. The California Privacy Protection Agency has the authority to investigate and prosecute noncompliance, including imposing penalties for violations, such as those resulting from a data breach where reasonable security measures were not taken. Violations can lead to significant penalties. Consumers may also be able to pursue action in cases of data breaches due to inadequate security.
Key takeaways
The CPRA expanded upon the original CCPA, creating a more robust privacy framework for California residents.
The law applies to businesses that handle the personal information of California residents and meet certain thresholds, not just businesses physically located in California.
Contact us by phone or email to learn more about how we can help.