Judy Selby Consulting

  • Home
  • About
  • Case Studies
  • Events
    • Big Data Videos
    • Data Breach Videos
  • Blog
  • In the News
  • Contact
  • Cyber Insurance
  • Privacy Compliance
  • Cybersecurity
  • Insurance Coverage
  • Board of Directors
You are here: Home / Privacy Compliance / Basics of the California Consumer Privacy Act

Basics of the California Consumer Privacy Act

June 29, 2018 by Judy Selby

California Consumer Privacy ActWhen: The Act goes into effect on January 1, 2020, and will be subject to clarification by the legislature before that date.

Who: With important caveats, it applies to business that collect consumer personal data.

For purposes of the Act, “business” means a for-profit legal entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in California.” To be subject to the Act, the business must satisfy one of the following thresholds:

  • Have annual adjusted gross revenues greater than $25 million;
  • Buy, receive, sell, or share personal information of 50,000 or more consumers; or
  • Derive 50% of its annual revenue from selling consumers’ personal information. [1798.140 (c)]

The term “consumer” means “a natural person who is a California resident” as defined by California law. [1798.140 (g)]

“Personal information” is information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to data that typically is considered personal, the Act also includes categories like products or services “purchased, obtained, or considered, or other purchasing of consuming histories or tendencies,” geolocation information, “audio, electronic, visual, thermal, olfactory, or similarly information,” professional or employment-related information, and education information. [1798.140 (o)]

What: Generally, the Act gives consumers the right to request a business to:

●     Request that a business disclose the categories and specific pieces of information the business has collected [1798.100]

●     Request that a business delete personal information [1798.105]

●     Request that a business disclose categories of personal information and its sources, the business purpose for sale or collection of the information, categories of third parties with whom the information is shared, and the specific pieces of personal information it has collected about the consumer. [1798.110]

●     Request that a business that sells the consumer’s personal information disclose the categories of information it has collected and sold, categories of third parties to which it is sold, and the categories of information that the business disclosed for a business purpose [1798.115]

●     Direct a business not to sell the consumer’s personal information [1798.120]

The Act prohibits businesses from denying goods, charging different prices or rates, or receiving different levels of service based on a consumer exercising his or her rights under the Act. [1798.125]

How: The privacy components of the Act are enforced by the state Attorney General, but the Act also provides a private right of action for any consumer whose nonencrypted or nonredacted personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Consumers may recover damages to less than $100 and not greater that $750 per consumer per incident or actual damages, whatever is greater. The consumer’s civil action, however, may be preempted if the California Attorney General opts to prosecute an action following the breach or disclosure. The Act allows for a civil penalty of up to $7,500 for each violation in actions brought by the Attorney General. [1798.155]

Related Posts

  • Regulated by the CCPA? 5 Traps for the UnwaryRegulated by the CCPA? 5 Traps for the Unwary
  • Second Verse, Different from the First: Comparing California’s Consumer Privacy Act and the EU GDPRSecond Verse, Different from the First: Comparing California’s Consumer Privacy Act and the EU GDPR
  • New IBM Survey Shows GDPR Is Already Having Positive ImpactsNew IBM Survey Shows GDPR Is Already Having Positive Impacts
  • Is South Carolina’s Adoption of the NAIC Model a Sign of What’s to Come?Is South Carolina’s Adoption of the NAIC Model a Sign of What’s to Come?

Filed Under: Privacy Compliance

About Me

Judy Selby Lawyer, Speaker, Writer Read More.

Judy Selby speaks at the WSJ Cybersecurity Small Business Academy conference in California

Contact Me

Fields marked with an * are required

Follow Me Online

  • Google+
  • LinkedIn
  • RSS
  • Twitter

Latest Tweets

Tweets by @judy_selby
Copyright 2017-2019 Judy Selby | Site by Good2bSocial