In 2018, California enacted the most comprehensive privacy law in the US, the California Consumer Privacy Act of 2018 (CCPA). The CCPA applies to any for-profit entity that handles data from California residents and meets one of the following three criteria: (i) has an annual gross revenue of more than $25 million; (ii) processes the personal information of 50,000 or more California individuals, households, or devices annually; or (iii) derives 50 percent or more of its annual revenue from “selling” consumers’ personal information.1
Key requirements of the CCPA include:
- informing consumers about the categories of information collected, and the purpose of collecting it;
- allowing consumers to opt out of any “sale” of personal information;
- disclosing the categories, sources, business purpose, and specific pieces of information collected about a consumer;
- providing specific notice to consumers on every Internet web page where personal information is collected; and
- responding to consumer requests to delete personal information – and directing third parties to do the same.2
The CCPA goes into effect on January 1, 2020, though no enforcement action will be brought until July 1, 2020 or six months after the California Attorney General promulgates its final regulations, whichever is sooner.3
1 Cal. Civ. Code § 1798.140(c).
2 Id. § 1798.100 et seq.
3 Id. § 1798.185(c).
4 See Cal. Bus. & Prof. Code §§ 22575-22579.