The California Consumer Privacy Act (CCPA) is a privacy law that came into effect in 2020. It solidifies consumers’ rights to data privacy, and creates new obligations for businesses that handle personal data. The CCPA applies if a company collects personal information from California residents and also:
- generates over $25M in gross annual revenue,
- buys or sells personal information from more than 50,000 Californians, or
- creates over 50% of its revenue from selling personal information of California residents.
In other words, the CCPA applies to companies with established revenues or whose business model is built on sharing personal information (as would often be the case in AdTech, for example).
Under the CCPA, businesses must protect the rights of consumers to:
- know what personal information the business is collecting,
- request that the business deletes any of their personal information,
- opt out of their personal information being collected or sold.
Businesses need to provide clear notice and obtain explicit permission to collect sensitive data, and implement reasonable measures to protect consumer data. Each violation can cost the business up to $7,500 if intentional, or $2,500 for each unintentional violation. Companies can also be liable in civil suits if they suffer a data breach due to insufficient cybersecurity measures.
The CCPA applies when personal information is being stored or processed using a public cloud. Organizations that store personal information of California residents in their cloud accounts are responsible for compliance – e.g., executing disclosure and deletion requests. In order to comply, companies have to be aware of every cloud data store that contains data which might be subject to a CCPA request. DSPM tools can help identify these data stores.