[The] simple overview first... it's all about data privacy and making sure that a user is clear and has control over their privacy. Whether you are giving them cookies or having them submit forms, that user needs to be in control of where that data goes and how that data is managed.
- Joe Krug, Finsweet livestream
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents in the US state of California. The bill was passed by the California State Legislature and signed into law on June 28, 2018.
The CCPA gives California residents more control over the personal information that businesses collect about them. The law has several key provisions:
- Right to Know: Consumers have the right to request that a business disclose the categories and specific pieces of personal information that it has collected.
- Right to Delete: Consumers have the right to request the deletion of personal information held by a business.
- Right to Opt-Out: Consumers have the right to direct a business that sells personal information to third parties not to sell their personal information.
- Non-Discrimination: A business cannot discriminate against a consumer for exercising their rights under the CCPA. This includes charging the consumer who exercises their rights a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to the value provided by the consumer's data.
- Mandatory Disclosure: Businesses must disclose data collection and sharing practices to consumers upon or before collection.
This was extended in Nov 2020 with the CPRA.
What is the CPRA?
The California Privacy Rights Act (CPRA), also known as Proposition 24, is a law passed by California voters in the November 2020 elections that expands and amends the provisions of the California Consumer Privacy Act (CCPA).
The CPRA brings a number of significant changes to the existing law, enhancing privacy protections for California residents. Here are some of the key features of the CPRA:
- Creation of the California Privacy Protection Agency (CPPA): This new agency will have the power to enforce the CPRA, making it the first agency in the U.S. dedicated to privacy regulation.
- New category of 'sensitive personal information': This includes data such as social security numbers, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, sexual orientation, and more. Consumers have the right to limit the use and disclosure of such information.
- Right to correct: Consumers can request businesses to correct inaccurate personal information held about them.
- Data minimization and purpose limitation: Businesses must limit the collection of personal information to what is necessary and relevant for the purposes for which it was collected, and they must not retain personal information for longer than is reasonably necessary.
- Risk assessment and regular audits: Businesses whose processing presents significant risk must perform regular cybersecurity audits and submit risk assessments to the CPPA.
- Increased penalties for violations involving children's personal information: The CPRA triples the maximum penalties for violations involving children's personal information.
The CPRA is expected to become operative on January 1, 2023, and the California Privacy Protection Agency will start enforcing it from July 1, 2023.
While it's a state law, the CPRA may have broader impacts on privacy legislation and practices outside California due to the state's significant economic influence.
FAQs
Answers to frequently asked questions.