California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act of 2018 (CCPA) is a state statute which creates new consumer rights with respect to access to, deletion of, and sharing of personal information that is collected by certain businesses. The law was introduced in 2017 as Assembly Bill 375, was enacted in 2018, and went into effect in January 2020. Enforcement of the law begins July 2020.

The law applies to any business that has more than $25 million in revenue, or that purchases or sells personal information to 50,000 or more consumers, or that derives 50 percent or more of its annual revenue from the sale of consumers' personal information, and that does any business in the State of California.

The tone of the legislation is rather aggressive. The legislation cites the misuse of consumer data by Cambridge Analytica, which was disclosed by Facebook in March 2018.

The CCPA grants California residents a number of new consumer rights. These rights include:

• The right to know what personal information is collected, used, shared, or sold, both as to the categories and specific pieces of personal information
• The right to delete personal information held by businesses and by extension, a business's service provider
• The right to opt out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
• The right to non-discrimination in terms of price or service when a consumer exercises her or his privacy right under CCPA.

The CCPA creates a number of new obligations for businesses which are affected by the law:

• Businesses must provide notice to consumers at or before the time data are collected.
• Businesses have to create new procedures to respond to requests from consumers to opt-out, know, and delete data a business may have captured about them.
• Businesses must verify the identity of consumers who make requests to know and to delete their data, regardless of whether the consumer has a password-protected account with the business or its services.
• Businesses must disclose financial incentives offered in exchange for retaining or sale of a consumer's personal information. Furthermore, businesses must also explain how the incentive is permitted under the CCPA.
• Businesses must maintain records of requests and their response for 24 months in order to comply with CCPA. Businesses with more than 4 million consumers have additional record-keeping obligations.

According to estimates from a standardized regulatory impact assessment for the CCPA regulations, performed by Berkeley Economic Advising and Research in August 2019, the CCPA will protect over $12 billion worth of personal information that is used for advertising in California each year.That same report found that regulatory compliance costs could be between $467 million and $16.54 billion over the decade between 2020 and 2030.

The California Department of Justice (DoJ) has requested an additional 23 full-time positions, at an estimated cost of approximately $4.5 million per year, to monitor compliance.