CCPA grants new rights to California consumers
- Right to know – Consumers may request that businesses disclose what personal information is collected, used, shared or sold by the business, in both categories and specific pieces of information;
- Right to delete — Consumers may request that a business delete the consumer’s personal information held by both the business and by extension, the business’s service providers;
- Right to opt-out — Consumers may direct a business to cease the sale of the consumer’s personal information. As required by the law, businesses must provide a “Do Not Sell” information link on their websites or mobile apps;
- Rights for minors regarding opt-in consent — Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13; and
- Right to non-discrimination — Businesses may not discriminate against consumers in terms of price or service when a consumer exercises a privacy right under CCPA.
Businesses subject to CCPA
Not all California businesses are subject to CCPA. A
business is subject to CCPA if the business:
- Has gross annual revenue in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
In addition, as proposed by the draft regulations, businesses
that handle the personal information of more than four million consumers will
have additional record-keeping obligations.
Data Broker Registry
As required by California Civil Code section 1798.99.80,
a data broker must register with the Attorney General
at https://www.oag.ca.gov/data-broker/register.
The law mandates that a data broker shall pay a registration fee and provide
information including primary physical, email, and internet website addresses,
as well as any additional information or explanation the data broker chooses to
provide concerning its data collection practices. The registry is accessible to
consumers.
Consumers’ private right of action in the case of a data
breach
Businesses are required to implement and maintain reasonable
security procedures and practices to protect consumers’ personal information,
and CCPA authorizes a consumer to institute a civil action if their
personal information, as defined in subparagraph (A) of paragraph (1) of
subdivision (d) of Section 1798.81.5 is subject to an unauthorized breach as a
result of a business’s failure to reasonably secure this data.
Consumers were able to begin exercising the rights listed
above under the CCPA on January 1, 2020. Under Civil Code 1798.100 -
1798.199, businesses subject to CCPA were required to begin complying
with the law on January 1, 2020.
The full press release is
available, here.
No comments:
Post a Comment