Some businesses, like Facebook, collect data that you voluntarily supply, like your age, employer, relationship status, and where you live. They also track the other places you visit online and what apps you use and then use all that information to sell advertisements. This practice sounds relatively harmless, but after revelations in March 2018 that a political data firm, Cambridge Analytica, improperly harvested and used 87 million users' personal data, the way Facebook and other businesses treat personal information has been under increasing scrutiny. (To learn more about Facebook's Cambridge Analytical scandal and the need for heightened privacy laws, see Social Media and Your Privacy Rights.)
In June 2018, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) (Cal. Civ. Code § 1798.100 and following) into law. This groundbreaking law is the first United States law patterned after the European Union's General Data Protection Regulation (GDPR). (The GDPR is the primary law in Europe that regulates how companies protect EU citizens' private data and fundamentally reshaped how businesses must handle personal information there.)
As of its effective date—January 1, 2020—the CCPA gives consumers in California four basic rights concerning how businesses use their personal information. Read on to learn more about these rights, how to invoke them, and how to enforce them.
The California Consumer Privacy Act extends specific privacy rights and protections to California residents, including:
Under the California Consumer Privacy Act, you have the following four basic rights.
You have the right to know, through a general privacy policy, the categories of personal information collected and how the business will use that information. You also have the right to request specific information, like what personal information the business has collected about you, where it generally got that information, what the information is being used for, what kind of personal information about you the business has sold, and what types of third parties it has sold your personal information to. (Cal. Civ. Code § 1798.100, § 1798.110, § 1798.115).
You may request that a business delete your personal information. The business must erase your data upon receipt of your request. But a business doesn't have to erase your information under certain circumstances, like if the information is necessary to complete the transaction for which the personal information was collected or if it's needed to perform a contract between you and the business. (Cal. Civ. Code § 1798.105).
You may opt out of the sale of your personal information. A business has to provide a "Do Not Sell My Personal Information" link on its Internet homepage that links to a page that enables you to opt out of the sale of your personal information. (Cal. Civ. Code § 1798.120, § 1798.135).
Also, a business generally can't sell the personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years of age. However, the consumer, in the case of consumers between 13 and 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, can authorize the sale of information. (Cal. Civ. Code § 1798.120).
The California Consumer Privacy Act prohibits a business from discriminating against you if you exercise your rights under this law, and the law includes a prohibition on charging a different price or providing you with a different quality of goods or services after you exercise your rights, except if the difference is reasonably related to the value provided to you by your data. (Cal. Civ. Code § 1798.125).
The California Consumer Privacy Act applies to for-profit entities that collect and process the personal information of California residents and that do business in the State of California. Also, for the CCPA to apply, the business must:
Nonprofit businesses, as well as companies that don't meet any of the three above criteria, don't have to comply with the CCPA.
Under the California Consumer Privacy Act, "personal information" is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." (Cal. Civ. Code § 1798.140(o)(1)). This definition of "personal information" is much broader than typical privacy-related laws in the United States.
The CCPA's definition of "personal information" also includes a wide range of examples, like:
Publicly available information, however, is not considered personal information.
The California Consumer Privacy Act provides consumers with a private right of action (the right to file a lawsuit) after satisfying certain procedural requirements, if their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure because the business didn't comply with the law. Damages in any private action that a consumer brings will be not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. (Cal. Civ. Code § 1798.150).
Also, the California Attorney General can file suit against companies that don't comply with the law. Any business, service provider, or other person found in violation is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation. (Cal. Civ. Code § 1798.155).
To get more information about your rights under the California Consumer Privacy Act or to learn about filing a lawsuit against a company that has violated this law, including the procedural requirements you need to follow before initiating such a suit, consider talking to a consumer protection lawyer.
Need a lawyer? Start here.