CPRA – the California Privacy Rights Act – and the CCPA (California’s Consumer Privacy Act) are the Californian version of the GDPR. Both CCPA and CPRA are said to be elected by California’s voters in November 2020, and the laws are said to come in full effect come January 2023.
The CCPA is said to apply to all business entities doing business in California that collects, shares or sells the data of the people living in California. That’s not it, though: the law applies to businesses that either:
- Have annual revenues in excess of $25 million (gross); or
- Has personal information on 50,000 or more consumers, households, or devices; or
- Sells users’ personal information while at the same earning more than half of its annual revenue.
For those who are interested in learning about CCPA and CPRA on a deeper level, there’s a bit of information on the State of California’s Department of Justice – the information is available here. Here’s what everything means in simple terms:
- All residents of California may ask businesses to disclose information that the business has about them and what they do with that information; all residents also have “the right to be forgotten” (to request the deletion of their data), or request not to sell their data to third-party vendors.
- Personal information is considered to be all information that’s in some way attributable to a person or his or her household.
- Businesses cannot be sued for CCPA violations but can be sued if there’s a data breach (and if they meet certain conditions outlined by the act – basically, if the data breach includes really sensitive data.) For some violations of the privacy act, only an attorney can initiate actions against businesses.
- All businesses that are subject to CCPA must provide a clear statement titled “Do Not Sell My Personal Information” with a link on their website that allows people to opt-out.
- All customers of businesses that are subject to CCPA have the right to request the business to show the personal information the business has collected about them including what information was collected, from what source it has originated, what purpose it’s used for, etc.
- Businesses subject to the act must provide at least two methods for people to submit a right to know how their information is being collected. Businesses must respond to the request within 45 days. With notification, the deadline can be extended to 90 days.
- The CCPA requires businesses to provide customers with information regarding the collection of data – what data is collected, for what purpose, etc. Such a practice is sometimes called a “notice at collection.”
- Businesses that adhere to the CPRA cannot charge different prices, not provide products, etc. simply because you’ve made use of some (or all of) the protection provided by the CPRA. Basically, people should not be discriminated.
- All provisions can be found over at the aforementioned State of California’s Department of Justice – they can be found here.
Some people may have concerns whether CCPA applies to all citizens of the US, and the answer to the best of our knowledge is no. It is said that only California’s residents would have rights outlined by the new privacy act. While some residents of the US might not able to enjoy as much protection as citizens of EU countries do due to GDPR, in our opinion, the introduction of CPRA is certainly a step in the right direction. We hope that this blog post has shed some light on the upcoming act of CPRA (CCPA), make sure to learn more about it on official sources, make sure to scan yourself through a list of known data breaches to be on the safe side when on the web, and until next time!