SACRAMENTO, Jan. 6, 2020 – California Attorney General Xavier Becerra has issued an advisory for consumers highlighting their new rights as part of the California Consumer Privacy Act (CCPA), which went into in effect on January 1, 2020. The advisory describes consumers’ basic privacy rights under the CCPA and methods for consumers to exercise those rights, information about the data broker registry, and new guidelines related to data security. Enforcement of CCPA is the responsibility of the Office of the Attorney General.
“Knowledge is power, and in today’s world knowledge is derived from data. When it comes to your own data, you should be in control,” said Attorney General Becerra. “In California we are rebalancing the power dynamic by putting power back in the hands of consumers. I encourage all Californians to take a moment to understand their new rights and exercise these rights to take control of their personal data.”
CCPA grants new rights to California consumers
- Right to know – Consumers may request that businesses disclose what personal information is collected, used, shared or sold by the business, in both categories and specific pieces of information;
- Right to delete — Consumers may request that a business delete the consumer’s personal information held by both the business and by extension, the business’s service providers;
- Right to opt-out —Consumers may direct a business to cease the sale of the consumer’s personal information. As required by the law, businesses must provide a “Do Not Sell” information link on their websites or mobile apps;
- Rights for minors regarding opt-in consent — Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13; and
- Right to non-discrimination — Businesses may not discriminate against consumers in terms of price or service when a consumer exercises a privacy right under CCPA.
Businesses subject to CCPA
Not all California businesses are subject to CCPA. A business is subject to CCPA if the business:
- Has gross annual revenue in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
In addition, as proposed by the draft regulations, businesses that handle the personal information of more than four million consumers will have additional record-keeping obligations.
Data Broker Registry
As required by California Civil Code section 1798.99.80, a data broker must register with the Attorney General at https://www.oag.ca.gov/data-broker/register. The law mandates that a data broker shall pay a registration fee and provide information including primary physical, email, and internet website addresses, as well as any additional information or explanation the data broker chooses to provide concerning its data collection practices. The registry is accessible to consumers.
Consumers’ private right of action in the case of a data breach
Businesses are required to implement and maintain reasonable security procedures and practices to protect consumers’ personal information, and CCPA authorizes a consumer to institute a civil action if their personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5 is subject to an unauthorized breach as a result of a business’s failure to reasonably secure this data.
Consumers were able to begin exercising the rights listed above under the CCPA on January 1, 2020. Under Civil Code 1798.100 – 1798.199, businesses subject to CCPA were required to begin complying with the law on January 1, 2020.
Consumer complaints may be reported at oag.ca.gov/report or by calling (800) 952-5225. A factsheet regarding the CCPA and the draft regulations proposed by Attorney General Becerra are available at oag.ca.gov/ccpa.