What is the CCPA?

The California Consumer Privacy Act of 2018 (“CCPA”) is a law that grants California residents new rights to know about and control the collection, sharing, and sale of a broad array of personal information, ranging from email addresses and social security numbers, to biometric information and IP addresses. The CCPA imposes corresponding legal obligations on businesses, mandating transparency with consumers about their collection and sale of personal information.

Most significantly, the CCPA requires businesses to delete consumers’ personal information when requested (subject to certain exceptions), and inform consumers – at the point of collection – about the personal information they collect, the types of third parties they share that information with, and whether they sell personal information. Businesses that sell personal information have additional requirements, including allowing consumers to opt-out of the sale.

The CCPA generally applies to for-profit businesses that do business in California and either (a) have annual gross revenues of more than $25 million; or (b) buy, sell, or receive the personal information of 50,000 or more consumers; or (c) derive 50% or more of their annual revenues from selling personal information. The CCPA may also apply to non-profit organizations under certain circumstances.

The CCPA holds businesses accountable to its requirements through a variety of enforcement mechanisms, including legal enforcement actions by the California Attorney General and the assessment of civil fines. The CCPA took effect on January 1, 2020, and the Attorney General’s office will begin enforcing it on July 1, 2020.

For the full text of the law, see Cal. Civ. Code section 1798.100 et. seq.