In 2018, the California Consumer Privacy Act (CCPA) became the newest and most wide-ranging framework established in the US for regulating consumer data usage. The law allows any California consumer to demand the viewing of all personal data a company collects on them. Additionally, the law allows consumers to sue companies who violate the guidelines, even if a data breach does not occur.
The CCPA lays out six intentions behind the law. They include the rights to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
The CCPA applies to any for-profit entity that makes at least $25 million in revenue, collects consumer data, and does business in the state of California. With California being the most populous state in the US, the odds are high that your business will do at least some business in the state.
While the CCPA doesn’t go as far as the GDPR in terms of having a breach response, the CCPA does contain a broader definition of personal information, which includes:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Characteristics of protected classifications under California or federal law.
- Commercial information including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.