The California Consumer Privacy Act (CCPA) gives California residents control over the personal data that businesses collect about them.
The California Consumer Privacy Act (CCPA) is a piece of data privacy legislation that applies to most businesses that process the personal data of California residents. The CCPA gives California residents a certain amount of control over the personal data that businesses collect about them.
The CCPA went into effect on January 1, 2020. In late 2020, California voters passed a proposition, the California Privacy Rights Act (CPRA) that amended and expanded the CCPA. The CCPA will continue to be revised over time.
The CCPA gives consumers the following important rights:
The banner also offers Alice a choice: She can choose to not allow news.example.com to sell information about her location to ad networks by clicking a button that reads "Do Not Sell My Personal Info." Or, she can click "Accept and Continue" to allow this data sale. She has this choice because she has a right to opt out.
Now imagine Alice clicks "Do Not Sell My Personal Info" because she would rather keep her location as private as possible. All of a sudden, all the content on news.example.com becomes locked, and Alice can no longer watch videos or read articles on the website. This would be a violation of the CCPA, because Alice has a right to non-discrimination — news.example.com has to provide the same services at the same price to Alice that they provide to their other users who allow the sale of their data.
The CCPA applies to the personal data of California residents only. However, any organization can be subject to the CCPA if it collects data about California residents, no matter where the organization is based.
The CCPA applies to organizations that do any amount of business in California and meet one of the following descriptions:
The CCPA does not apply to nonprofit organizations, government agencies, or certain kinds of financial institutions — for example, a California resident cannot avoid paying off a debt by asking the debt collecting agency to delete their personal information.
The CCPA defines "personal information" in this way:
"'Personal information' means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The CCPA also lists many types of data that are considered personal information, including:
The full list can be found in the California Consumer Privacy Act, section 1798.140.
The CCPA also clarifies that publicly available information, such as information in legally obtained government records, is not considered personal information.
Note that this definition of "personal information" is unique to the CCPA. Other privacy frameworks, such as the European Union's General Data Protection Regulation (GDPR), use their own definitions.
Aside from the fact that these two privacy frameworks apply to different regions, the CCPA and the GDPR are not the same. They define terms differently, have different requirements for businesses, and have different fine and penalty structures. Compliance with the GDPR does not guarantee compliance with the CCPA, and vice versa.
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law regulating healthcare data privacy and protection. The CCPA does not apply to personal health information that is already regulated by HIPAA.
A "cookie" is a small file of information that a website generates and sends to a user’s web browser when they visit the website. Some cookies collect user browsing history, user search history, or a user's interactions with a website. All of these are considered "personal information" under the CCPA. Because of the right to know, organizations have to let users know what data they collect via cookies and how that data is used.
However, unlike some other privacy frameworks, the CCPA does not require organizations to get a user's consent for cookies.